[Snort-users] [snort-users] Stream5 doesn't take into account every TCP segment

Emiliano Fausto emiliano.fausto at ...11827...
Mon Dec 9 07:36:18 EST 2013


Hello everyone,

I have the Stream5 preprocessor working (thanks to Hui from the developer's
team), but for some reason it's not taking into account every TCP segment.

Therefore, it's just reassembling some TCP segmented stream, but not all of
it.

I'm using Wireshark with the option to reassembly TCP, and it shows
correctly two packets reassembled. While the Stream5 preprocessor doesn't
take them into account to reassemble them.

I reviewed once and again the Stream5 options documentation in the
Stream5.README, I don't know what could be going on.

Here is the configuration I set for the preprocessor:

config pax_max: 16000
preprocessor stream5_global: track_tcp yes, \
    track_udp no, \
    track_icmp no, \
    max_tcp 262144, \
    max_active_responses 2, \
    min_response_seconds 5
preprocessor stream5_tcp: policy linux, \
    overlap_limit 0, timeout 180, \
    ports both 3200

And I'm running a dynamic preprocessor of mine which takes every
reassembled packet into account and just print a line:

if ((SFSnortPacket*) mypacket->flags & FLAG_REBUILT_STREAM)
      _dpd.logMsg("A reassembled packet was received.\n");

But it's just being triggered sometimes, but not always, and as I can see
in the wireshar, there are several rebuilt streams.

Just in case, I'm running the SNORT process with option "-k none".

Thanks in advance,
Emiliano.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131209/27cf696f/attachment.html>


More information about the Snort-users mailing list