[Snort-users] Stream5 and File preprocessor

NIDS TEAM nidsteam at ...11827...
Tue May 27 04:42:25 EDT 2014


How are the Stream5 and File preprocessor related to each other?

- In case I'd like to extract files from a TCP stream: Will I only be able
to extract files which are smaller than the Stream5 memcap,
max_queued_bytes, etc?
- Stream5 will reassemble the traffic and then basically send the entire
file at once to the file preprocessor?
- What happens to purged/pruned Stream5 sessions? Will the already
reassembled part still be sent to the following preprocessors or will it
just be deleted?

Thanks for your replies
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140527/89d8b032/attachment.html>

More information about the Snort-users mailing list