[Snort-users] Understanding flow options (no_stream|only_stream) (no_frag|only_frag)

Damian Torres datorr2 at gmail.com
Thu Aug 3 10:30:40 EDT 2017


No, I had not looked at the README.stream5 file.  There was a lot of useful
information in there, so thank you for mentioning that!

>From the README.stream5, "The Stream preprocessor is a target-based TCP
reassembly module for Snort.  It replaces both the Stream5 and the earlier
Stream4 and flow preprocessors, and it is capable of tracking sessions for
both TCP and UDP."

So now, in addition to the two questions I had before, I have the following

3.) Are flow:established,to_server,no_stream; and
stream_reassemble:disable,client; essentially the same?  If not, how are
they different? (may tie in with #5).
4.) I assume that if I use stream_reassemble option, I cannot use flow in
the same rule?
5.) What are the pros/cons of using flow vs stream_reassemble?

Warm Regards,

On Wed, Aug 2, 2017 at 4:33 PM, Al Lewis (allewi) <allewi at cisco.com> wrote:

> Have you looked at the README.stream5 file?
> Its located under the doc folder of the snort download.
> *Albert Lewis*
> SOURCE*fire*, Inc. now part of *Cisco*
> Email: allewi at cisco.com
> From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of
> Damian Torres via Snort-users <snort-users at lists.snort.org>
> Reply-To: Damian Torres <datorr2 at gmail.com>
> Date: Wednesday, August 2, 2017 at 3:49 PM
> To: Snort-Users <snort-users at lists.snort.org>
> Subject: [Snort-users] Understanding flow options (no_stream|only_stream)
> (no_frag|only_frag)
> Good afternoon, all.
> I've been trying to find more information about the following flow options:
> no_stream - Do not trigger on rebuilt stream packets (useful for dsize and
> stream5)
> only_stream - Only trigger on rebuilt stream packets
> no_frag - Do not trigger on rebuilt frag packets
> only_frag - Only trigger on rebuilt frag packets
> Other than this information that is mentioned in the manual, I can't seem
> to find anything else about these options.  I saw the following snort-devel
> thread from 2010 where it sounds like there was supposed to be some more
> information put into the manual:
> https://lists.snort.org/pipermail/snort-devel/2010-December/008525.html
> Another confusing thing is, the no_frag|only_frag options don't exist in
> the Cisco FireSIGHT rule editor.
> My questions are:
> 1.) As far as the no_stream option goes, it sounds like all of the payload
> detection options have to fire on a single packet.  Is this correct?
> 2.) What are the no_frag|only_frag options used for?  The only
> "fragmentation" that I am aware of occurs in IP, and "flow" seems like it
> only pertains to TCP.
> Thank you.
> Warm Regards,
> -Damian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170803/5e62b6a9/attachment.html>

More information about the Snort-users mailing list