[Snort-users] Stream5 reassembly

Joel Esler jesler at ...1935...
Mon May 31 11:24:30 EDT 2010


It is mandatory if you want to detect anything.  The ports are simply  
the ports we are reassembling on for the ruleset, you can always add  
more.

--
Joel Esler
Sent from my iPhone

On May 31, 2010, at 8:04 AM, Parag Pote <pipsparag at ...131...> wrote:

> Thanks Joel.
>
> But I guess since it is configure only for some specific ports it is  
> not mandatory, right?
>
> Rgds,
> Parag
>
>
> --- On Mon, 5/31/10, Joel Esler <jesler at ...1935...> wrote:
>
>> From: Joel Esler <jesler at ...1935...>
>> Subject: Re: [Snort-users] Stream5 reassembly
>> To: "Parag Pote" <pipsparag at ...131...>
>> Cc: "Patrick Billings" <pbillings at ...1935...>, "snort-users at lists.sourceforge.net 
>> " <snort-users at lists.sourceforge.net>
>> Date: Monday, May 31, 2010, 7:31 AM
>> This is something that is necessary
>> for the proper intended operation of Snort, yes.
>>
>> --
>> Sent from my iPad
>> Joel Esler
>> 302-223-5974
>> Jabber:jesler at ...1935...
>>
>> On May 31, 2010, at 7:09 AM, Parag Pote <pipsparag at ...131...>
>> wrote:
>>
>>> Thanks patrick.
>>>
>>> But I didn't hear you saying if it is mandatory or can
>> we ignore it? Is it just an added feature?
>>>
>>> Parag
>>>
>>> --- On Mon, 5/31/10, Patrick Billings <pbillings at ...1935...>
>> wrote:
>>>
>>>> From: Patrick Billings <pbillings at ...1935...>
>>>> Subject: Re: [Snort-users] Stream5 reassembly
>>>> To: "Parag Pote" <pipsparag at ...131...>
>>>> Cc: snort-users at lists.sourceforge.net
>>>> Date: Monday, May 31, 2010, 3:34 AM
>>>> Hi-
>>>>
>>>> The ports option which can be configured as ports
>> client |
>>>> server |
>>>> both is needed to set which ports the preprocessor
>> will
>>>> perform stream
>>>> re-assembly on.
>>>>
>>>> For example, if you are wanting to re-assemble the
>> traffic
>>>> to your
>>>> webserver, then you would want to check for port
>> 80 for
>>>> http(tcp)
>>>> traffic but you may not care not be concerned
>> about the
>>>> port the
>>>> browser is using, as it will be a random port.
>>>>
>>>> The default setting is:  ports client 21 23
>> 25 42 53
>>>> 80 110 111 135
>>>> 136  137 139 143 445 513 514 1433 1521 2401
>> 3306
>>>>
>>>> HTH,
>>>>
>>>> Patrick
>>>>
>>>> On Mon, May 31, 2010 at 1:31 PM, Parag Pote <pipsparag at ...131...>
>>>> wrote:
>>>>> Hi,
>>>>>
>>>>> What does ports (ports client and ports both)
>> means in
>>>> stream5 preprocessor? Just had a glance at the
>> code and it
>>>> says it does reassembly when we configure this
>> option. Just
>>>> wanted to know is it mandatory to configure it or
>> optional
>>>> one? If we do not configure do we miss any
>> functionality?
>>>>>
>>>>> Rgds,
>>>>> Parag
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>> --- 
>> --- 
>> --- 
>> ---------------------------------------------------------------------
>>>>>
>>>>>
>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or
>> unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>> --- 
>> --- 
>> --- 
>> ---------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>
>




More information about the Snort-users mailing list