[Snort-users] stream5 and track_icmp

elof at ...6680... elof at ...6680...
Wed Mar 13 08:51:52 EDT 2013


Stream5 track_icmp is disabled by default in snort. Why?

README.stream5:
"ICMP messages are tracked for the purposes of checking for unreachable 
and service unavailable messages, which effectively terminate a TCP or UDP 
session."

Isn't this a good thing, to let snort bail early on TCP/UDP streams that 
are terminated and this is informed via an ICMP message?

/Elof




More information about the Snort-users mailing list