[Snort-users] Understanding flow options (no_stream|only_stream) (no_frag|only_frag)
Al Lewis (allewi)
allewi at cisco.com
Wed Aug 2 16:33:35 EDT 2017
Have you looked at the README.stream5 file?
Its located under the doc folder of the snort download.
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com<mailto:allewi at cisco.com>
From: Snort-users <snort-users-bounces at lists.snort.org<mailto:snort-users-bounces at lists.snort.org>> on behalf of Damian Torres via Snort-users <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>>
Reply-To: Damian Torres <datorr2 at gmail.com<mailto:datorr2 at gmail.com>>
Date: Wednesday, August 2, 2017 at 3:49 PM
To: Snort-Users <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>>
Subject: [Snort-users] Understanding flow options (no_stream|only_stream) (no_frag|only_frag)
Good afternoon, all.
I've been trying to find more information about the following flow options:
no_stream - Do not trigger on rebuilt stream packets (useful for dsize and stream5)
only_stream - Only trigger on rebuilt stream packets
no_frag - Do not trigger on rebuilt frag packets
only_frag - Only trigger on rebuilt frag packets
Other than this information that is mentioned in the manual, I can't seem to find anything else about these options. I saw the following snort-devel thread from 2010 where it sounds like there was supposed to be some more information put into the manual:
Another confusing thing is, the no_frag|only_frag options don't exist in the Cisco FireSIGHT rule editor.
My questions are:
1.) As far as the no_stream option goes, it sounds like all of the payload detection options have to fire on a single packet. Is this correct?
2.) What are the no_frag|only_frag options used for? The only "fragmentation" that I am aware of occurs in IP, and "flow" seems like it only pertains to TCP.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users