[Snort-users] 'conifg stateful' option

Jeremy Hoel jthoel at ...11827...
Wed Nov 13 18:17:31 EST 2013

We noticed that our snort boxes didn't trigger on a rule that was
reported by an upstream provider.  Taking the pcaps and playing them
back against a stock snort.conf shows that the rule triggers. Once of
the differences between the configs is that ours included "config
stateful". From most of the documentation, this is a holdover from the
stream4 processor and we are configured to use stream5 (, but
when that statement was in the config, the udp packets wouldn't
trigger the rule.  Comment it out and it did.

Is that by design?

The manual (http://manual.snort.org/node58.html &
http://manual.snort.org/node16.html) mentions "Sets assurance mode for
stream (stream is established)." but I would think that would only
apply to tcp and it would continue to inspect udp either way since
state can never be established.

More information about the Snort-users mailing list