[Snort-users] Stream5 reassembly

Patrick Billings pbillings at ...1935...
Tue Jun 1 07:13:43 EDT 2010


Hi-

Yes it will do this if you have selected the setting of ports server.
Typically client requests are small, lightweight, and usually the
client request is the request that would carry a malicious payload.

Default is ports client

Patrick

On Tue, Jun 1, 2010 at 6:05 PM, Parag Pote <pipsparag at ...131...> wrote:
> So Joel, Does this mean when somebody fetch HTTP page reassembly module assemble the complete HTTP page in a buffer, scan for signatures on whole data? If the page is OK, flush the complete data?
>
> Parag
>
> --- On Mon, 5/31/10, Joel Esler <jesler at ...1935...> wrote:
>
>> From: Joel Esler <jesler at ...1935...>
>> Subject: Re: [Snort-users] Stream5 reassembly
>> To: "Parag Pote" <pipsparag at ...131...>
>> Cc: "Patrick Billings" <pbillings at ...1935...>, "snort-users at ...3054...forge.net" <snort-users at lists.sourceforge.net>
>> Date: Monday, May 31, 2010, 11:24 AM
>> It is mandatory if you want to detect
>> anything.  The ports are simply
>> the ports we are reassembling on for the ruleset, you can
>> always add
>> more.
>>
>> --
>> Joel Esler
>> Sent from my iPhone
>>
>> On May 31, 2010, at 8:04 AM, Parag Pote <pipsparag at ...131...>
>> wrote:
>>
>> > Thanks Joel.
>> >
>> > But I guess since it is configure only for some
>> specific ports it is
>> > not mandatory, right?
>> >
>> > Rgds,
>> > Parag
>> >
>> >
>> > --- On Mon, 5/31/10, Joel Esler <jesler at ...1935...>
>> wrote:
>> >
>> >> From: Joel Esler <jesler at ...1935...>
>> >> Subject: Re: [Snort-users] Stream5 reassembly
>> >> To: "Parag Pote" <pipsparag at ...131...>
>> >> Cc: "Patrick Billings" <pbillings at ...1935...>,
>> "snort-users at lists.sourceforge.net
>>
>> >> " <snort-users at lists.sourceforge.net>
>> >> Date: Monday, May 31, 2010, 7:31 AM
>> >> This is something that is necessary
>> >> for the proper intended operation of Snort, yes.
>> >>
>> >> --
>> >> Sent from my iPad
>> >> Joel Esler
>> >> 302-223-5974
>> >> Jabber:jesler at ...1935...
>> >>
>> >> On May 31, 2010, at 7:09 AM, Parag Pote <pipsparag at ...131...>
>> >> wrote:
>> >>
>> >>> Thanks patrick.
>> >>>
>> >>> But I didn't hear you saying if it is
>> mandatory or can
>> >> we ignore it? Is it just an added feature?
>> >>>
>> >>> Parag
>> >>>
>> >>> --- On Mon, 5/31/10, Patrick Billings <pbillings at ...1935...>
>> >> wrote:
>> >>>
>> >>>> From: Patrick Billings <pbillings at ...1935...>
>> >>>> Subject: Re: [Snort-users] Stream5
>> reassembly
>> >>>> To: "Parag Pote" <pipsparag at ...131...>
>> >>>> Cc: snort-users at lists.sourceforge.net
>> >>>> Date: Monday, May 31, 2010, 3:34 AM
>> >>>> Hi-
>> >>>>
>> >>>> The ports option which can be configured
>> as ports
>> >> client |
>> >>>> server |
>> >>>> both is needed to set which ports the
>> preprocessor
>> >> will
>> >>>> perform stream
>> >>>> re-assembly on.
>> >>>>
>> >>>> For example, if you are wanting to
>> re-assemble the
>> >> traffic
>> >>>> to your
>> >>>> webserver, then you would want to check
>> for port
>> >> 80 for
>> >>>> http(tcp)
>> >>>> traffic but you may not care not be
>> concerned
>> >> about the
>> >>>> port the
>> >>>> browser is using, as it will be a random
>> port.
>> >>>>
>> >>>> The default setting is:  ports client
>> 21 23
>> >> 25 42 53
>> >>>> 80 110 111 135
>> >>>> 136  137 139 143 445 513 514 1433
>> 1521 2401
>> >> 3306
>> >>>>
>> >>>> HTH,
>> >>>>
>> >>>> Patrick
>> >>>>
>> >>>> On Mon, May 31, 2010 at 1:31 PM, Parag
>> Pote <pipsparag at ...131...>
>> >>>> wrote:
>> >>>>> Hi,
>> >>>>>
>> >>>>> What does ports (ports client and
>> ports both)
>> >> means in
>> >>>> stream5 preprocessor? Just had a glance at
>> the
>> >> code and it
>> >>>> says it does reassembly when we configure
>> this
>> >> option. Just
>> >>>> wanted to know is it mandatory to
>> configure it or
>> >> optional
>> >>>> one? If we do not configure do we miss
>> any
>> >> functionality?
>> >>>>>
>> >>>>> Rgds,
>> >>>>> Parag
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>
>> >> ---
>> >> ---
>> >> ---
>> >>
>> ---------------------------------------------------------------------
>> >>>>>
>> >>>>>
>> >> _______________________________________________
>> >>>>> Snort-users mailing list
>> >>>>> Snort-users at lists.sourceforge.net
>> >>>>> Go to this URL to change user options
>> or
>> >> unsubscribe:
>> >>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >>>>> Snort-users list archive:
>> >>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >>>>>
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >> ---
>> >> ---
>> >> ---
>> >>
>> ---------------------------------------------------------------------
>> >>>
>> >>>
>> _______________________________________________
>> >>> Snort-users mailing list
>> >>> Snort-users at lists.sourceforge.net
>> >>> Go to this URL to change user options or
>> unsubscribe:
>> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >>> Snort-users list archive:
>> >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >>
>> >
>> >
>> >
>> >
>>
>
>
>
>
>




More information about the Snort-users mailing list