[Snort-users] Understanding flow options (no_stream|only_stream) (no_frag|only_frag)

Damian Torres datorr2 at gmail.com
Wed Aug 2 15:49:10 EDT 2017

Good afternoon, all.

I've been trying to find more information about the following flow options:

no_stream - Do not trigger on rebuilt stream packets (useful for dsize and
only_stream - Only trigger on rebuilt stream packets
no_frag - Do not trigger on rebuilt frag packets
only_frag - Only trigger on rebuilt frag packets

Other than this information that is mentioned in the manual, I can't seem
to find anything else about these options.  I saw the following snort-devel
thread from 2010 where it sounds like there was supposed to be some more
information put into the manual:


Another confusing thing is, the no_frag|only_frag options don't exist in
the Cisco FireSIGHT rule editor.

My questions are:
1.) As far as the no_stream option goes, it sounds like all of the payload
detection options have to fire on a single packet.  Is this correct?
2.) What are the no_frag|only_frag options used for?  The only
"fragmentation" that I am aware of occurs in IP, and "flow" seems like it
only pertains to TCP.

Thank you.

Warm Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170802/c11f3fb5/attachment.html>

More information about the Snort-users mailing list