[Snort-users] Stream5 reassembly

Parag Pote pipsparag at ...131...
Tue Jun 1 06:05:35 EDT 2010


So Joel, Does this mean when somebody fetch HTTP page reassembly module assemble the complete HTTP page in a buffer, scan for signatures on whole data? If the page is OK, flush the complete data?

Parag

--- On Mon, 5/31/10, Joel Esler <jesler at ...1935...> wrote:

> From: Joel Esler <jesler at ...1935...>
> Subject: Re: [Snort-users] Stream5 reassembly
> To: "Parag Pote" <pipsparag at ...131...>
> Cc: "Patrick Billings" <pbillings at ...1935...>, "snort-users at ...4137...orge.net" <snort-users at lists.sourceforge.net>
> Date: Monday, May 31, 2010, 11:24 AM
> It is mandatory if you want to detect
> anything.  The ports are simply  
> the ports we are reassembling on for the ruleset, you can
> always add  
> more.
> 
> --
> Joel Esler
> Sent from my iPhone
> 
> On May 31, 2010, at 8:04 AM, Parag Pote <pipsparag at ...131...>
> wrote:
> 
> > Thanks Joel.
> >
> > But I guess since it is configure only for some
> specific ports it is  
> > not mandatory, right?
> >
> > Rgds,
> > Parag
> >
> >
> > --- On Mon, 5/31/10, Joel Esler <jesler at ...1935...>
> wrote:
> >
> >> From: Joel Esler <jesler at ...1935...>
> >> Subject: Re: [Snort-users] Stream5 reassembly
> >> To: "Parag Pote" <pipsparag at ...131...>
> >> Cc: "Patrick Billings" <pbillings at ...1935...>,
> "snort-users at lists.sourceforge.net
> 
> >> " <snort-users at lists.sourceforge.net>
> >> Date: Monday, May 31, 2010, 7:31 AM
> >> This is something that is necessary
> >> for the proper intended operation of Snort, yes.
> >>
> >> --
> >> Sent from my iPad
> >> Joel Esler
> >> 302-223-5974
> >> Jabber:jesler at ...1935...
> >>
> >> On May 31, 2010, at 7:09 AM, Parag Pote <pipsparag at ...131...>
> >> wrote:
> >>
> >>> Thanks patrick.
> >>>
> >>> But I didn't hear you saying if it is
> mandatory or can
> >> we ignore it? Is it just an added feature?
> >>>
> >>> Parag
> >>>
> >>> --- On Mon, 5/31/10, Patrick Billings <pbillings at ...1935...>
> >> wrote:
> >>>
> >>>> From: Patrick Billings <pbillings at ...1935...>
> >>>> Subject: Re: [Snort-users] Stream5
> reassembly
> >>>> To: "Parag Pote" <pipsparag at ...131...>
> >>>> Cc: snort-users at lists.sourceforge.net
> >>>> Date: Monday, May 31, 2010, 3:34 AM
> >>>> Hi-
> >>>>
> >>>> The ports option which can be configured
> as ports
> >> client |
> >>>> server |
> >>>> both is needed to set which ports the
> preprocessor
> >> will
> >>>> perform stream
> >>>> re-assembly on.
> >>>>
> >>>> For example, if you are wanting to
> re-assemble the
> >> traffic
> >>>> to your
> >>>> webserver, then you would want to check
> for port
> >> 80 for
> >>>> http(tcp)
> >>>> traffic but you may not care not be
> concerned
> >> about the
> >>>> port the
> >>>> browser is using, as it will be a random
> port.
> >>>>
> >>>> The default setting is:  ports client
> 21 23
> >> 25 42 53
> >>>> 80 110 111 135
> >>>> 136  137 139 143 445 513 514 1433
> 1521 2401
> >> 3306
> >>>>
> >>>> HTH,
> >>>>
> >>>> Patrick
> >>>>
> >>>> On Mon, May 31, 2010 at 1:31 PM, Parag
> Pote <pipsparag at ...131...>
> >>>> wrote:
> >>>>> Hi,
> >>>>>
> >>>>> What does ports (ports client and
> ports both)
> >> means in
> >>>> stream5 preprocessor? Just had a glance at
> the
> >> code and it
> >>>> says it does reassembly when we configure
> this
> >> option. Just
> >>>> wanted to know is it mandatory to
> configure it or
> >> optional
> >>>> one? If we do not configure do we miss
> any
> >> functionality?
> >>>>>
> >>>>> Rgds,
> >>>>> Parag
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >> --- 
> >> --- 
> >> --- 
> >>
> ---------------------------------------------------------------------
> >>>>>
> >>>>>
> >> _______________________________________________
> >>>>> Snort-users mailing list
> >>>>> Snort-users at lists.sourceforge.net
> >>>>> Go to this URL to change user options
> or
> >> unsubscribe:
> >>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>>>> Snort-users list archive:
> >>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>>>
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >> --- 
> >> --- 
> >> --- 
> >>
> ---------------------------------------------------------------------
> >>>
> >>>
> _______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users at lists.sourceforge.net
> >>> Go to this URL to change user options or
> unsubscribe:
> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>> Snort-users list archive:
> >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >
> >
> >
> >
> 








More information about the Snort-users mailing list