[Snort-users] Stream5 and File preprocessor

Hui Cao (huica) huica at ...589...
Tue May 27 11:07:57 EDT 2014


File preprocessor does require stream. It processes data that are reassembled by stream, so stream5 configuration might impact on file processing. File size is controlled by file type depth or file signature depth. Stream5 memcap or max queue bytes only impacts how much file data that are buffered. You can have file size larger that memcap and max queued bytes. If the file is large,  many reassembled packets will be processed. For pruned/purged sessions, data will be flushed and processed.

Best,
Hui.
From: NIDS TEAM <nidsteam at ...11827...<mailto:nidsteam at ...11827...>>
Date: Tuesday, May 27, 2014 at 4:42 AM
To: "snort-users at lists.sourceforge.net<mailto:snort-users at ...5870....net>" <snort-users at lists.sourceforge.net<mailto:snort-users at ...2987...rge.net>>
Subject: [Snort-users] Stream5 and File preprocessor

Hi

How are the Stream5 and File preprocessor related to each other?

- In case I'd like to extract files from a TCP stream: Will I only be able to extract files which are smaller than the Stream5 memcap, max_queued_bytes, etc?
- Stream5 will reassemble the traffic and then basically send the entire file at once to the file preprocessor?
- What happens to purged/pruned Stream5 sessions? Will the already reassembled part still be sent to the following preprocessors or will it just be deleted?

Thanks for your replies
guh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140527/a1e2b7c2/attachment.html>


More information about the Snort-users mailing list