[Snort-users] [snort-users] Stream5 doesn't take into account every TCP segment
emiliano.fausto at ...11827...
Mon Dec 9 08:52:03 EST 2013
Update: I've been doing some more testing, and I could notice that:
1) The if condition: myPacket->flags && FLAG_REBUILT_STREAM is True for:
* The packet belongs to a segment which should be reassembled
* The packet is complete without a reassembly
2) The problem actually isn't that the Stream5 isn't activating the
FLAG_REBUILT_STREAM, but that the packet->payload is not the reassembled
packet with all the packets PDUs reassembled, but just the last one
Does anyone know if there's any kind of variable which has the reassembled
Thanks in advance,
2013/12/9 Emiliano Fausto <emiliano.fausto at ...11827...>
> Hello everyone,
> I have the Stream5 preprocessor working (thanks to Hui from the
> developer's team), but for some reason it's not taking into account every
> TCP segment.
> Therefore, it's just reassembling some TCP segmented stream, but not all
> of it.
> I'm using Wireshark with the option to reassembly TCP, and it shows
> correctly two packets reassembled. While the Stream5 preprocessor doesn't
> take them into account to reassemble them.
> I reviewed once and again the Stream5 options documentation in the
> Stream5.README, I don't know what could be going on.
> Here is the configuration I set for the preprocessor:
> config pax_max: 16000
> preprocessor stream5_global: track_tcp yes, \
> track_udp no, \
> track_icmp no, \
> max_tcp 262144, \
> max_active_responses 2, \
> min_response_seconds 5
> preprocessor stream5_tcp: policy linux, \
> overlap_limit 0, timeout 180, \
> ports both 3200
> And I'm running a dynamic preprocessor of mine which takes every
> reassembled packet into account and just print a line:
> if ((SFSnortPacket*) mypacket->flags & FLAG_REBUILT_STREAM)
> _dpd.logMsg("A reassembled packet was received.\n");
> But it's just being triggered sometimes, but not always, and as I can see
> in the wireshar, there are several rebuilt streams.
> Just in case, I'm running the SNORT process with option "-k none".
> Thanks in advance,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users