[Snort-users] Understanding flow options (no_stream|only_stream) (no_frag|only_frag)

Al Lewis (allewi) allewi at cisco.com
Wed Aug 2 16:33:35 EDT 2017


Have you looked at the README.stream5 file?

Its located under the doc folder of the snort download.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Snort-users <snort-users-bounces at lists.snort.org<mailto:snort-users-bounces at lists.snort.org>> on behalf of Damian Torres via Snort-users <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>>
Reply-To: Damian Torres <datorr2 at gmail.com<mailto:datorr2 at gmail.com>>
Date: Wednesday, August 2, 2017 at 3:49 PM
To: Snort-Users <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>>
Subject: [Snort-users] Understanding flow options (no_stream|only_stream) (no_frag|only_frag)

Good afternoon, all.


I've been trying to find more information about the following flow options:

no_stream - Do not trigger on rebuilt stream packets (useful for dsize and stream5)
only_stream - Only trigger on rebuilt stream packets
no_frag - Do not trigger on rebuilt frag packets
only_frag - Only trigger on rebuilt frag packets

Other than this information that is mentioned in the manual, I can't seem to find anything else about these options.  I saw the following snort-devel thread from 2010 where it sounds like there was supposed to be some more information put into the manual:

https://lists.snort.org/pipermail/snort-devel/2010-December/008525.html

Another confusing thing is, the no_frag|only_frag options don't exist in the Cisco FireSIGHT rule editor.


My questions are:
1.) As far as the no_stream option goes, it sounds like all of the payload detection options have to fire on a single packet.  Is this correct?
2.) What are the no_frag|only_frag options used for?  The only "fragmentation" that I am aware of occurs in IP, and "flow" seems like it only pertains to TCP.


Thank you.


Warm Regards,
-Damian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170802/c41c0543/attachment.html>


More information about the Snort-users mailing list