[Snort-users] stream5 and track_icmp

Joel Esler jesler at ...1935...
Sat Mar 16 16:23:59 EDT 2013

Bottom line is, this feature isn't fully tested.  We see it as experimental.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

On Mar 13, 2013, at 8:51 AM, elof at ...6680... wrote:

> Stream5 track_icmp is disabled by default in snort. Why?
> README.stream5:
> "ICMP messages are tracked for the purposes of checking for unreachable 
> and service unavailable messages, which effectively terminate a TCP or UDP 
> session."
> Isn't this a good thing, to let snort bail early on TCP/UDP streams that 
> are terminated and this is informed via an ICMP message?
> /Elof
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130316/4539a7f8/attachment.html>

More information about the Snort-users mailing list