[Snort-users] Understanding flow options (no_stream|only_stream) (no_frag|only_frag)
datorr2 at gmail.com
Wed Aug 2 15:49:10 EDT 2017
Good afternoon, all.
I've been trying to find more information about the following flow options:
no_stream - Do not trigger on rebuilt stream packets (useful for dsize and
only_stream - Only trigger on rebuilt stream packets
no_frag - Do not trigger on rebuilt frag packets
only_frag - Only trigger on rebuilt frag packets
Other than this information that is mentioned in the manual, I can't seem
to find anything else about these options. I saw the following snort-devel
thread from 2010 where it sounds like there was supposed to be some more
information put into the manual:
Another confusing thing is, the no_frag|only_frag options don't exist in
the Cisco FireSIGHT rule editor.
My questions are:
1.) As far as the no_stream option goes, it sounds like all of the payload
detection options have to fire on a single packet. Is this correct?
2.) What are the no_frag|only_frag options used for? The only
"fragmentation" that I am aware of occurs in IP, and "flow" seems like it
only pertains to TCP.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users