<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:12.727272033691406px">Hello everyone,</span><div style="font-family:arial,sans-serif;font-size:12.727272033691406px"><br></div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">

I have the Stream5 preprocessor working (thanks to Hui from the developer's team), but for some reason it's not taking into account every TCP segment.<br></div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">

<br></div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">Therefore, it's just reassembling some TCP segmented stream, but not all of it. </div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">

<br></div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">I'm using Wireshark with the option to reassembly TCP, and it shows correctly two packets reassembled. While the Stream5 preprocessor doesn't take them into account to reassemble them.<br>

</div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px"><br></div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">I reviewed once and again the Stream5 options documentation in the Stream5.README, I don't know what could be going on.</div>

<div style="font-family:arial,sans-serif;font-size:12.727272033691406px"><br></div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">Here is the configuration I set for the preprocessor:</div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">

<br></div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">config pax_max: 16000</div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">preprocessor stream5_global: track_tcp yes, \</div>

<div style="font-family:arial,sans-serif;font-size:12.727272033691406px">    track_udp no, \</div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">    track_icmp no, \</div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">

    max_tcp 262144, \</div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">    max_active_responses 2, \</div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">    min_response_seconds 5</div>

<div style="font-family:arial,sans-serif;font-size:12.727272033691406px">preprocessor stream5_tcp: policy linux, \</div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">    overlap_limit 0, timeout 180, \</div>

<div style="font-family:arial,sans-serif;font-size:12.727272033691406px">    ports both 3200</div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px"><br></div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">

And I'm running a dynamic preprocessor of mine which takes every reassembled packet into account and just print a line:</div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px"><br></div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">

if ((SFSnortPacket*) mypacket->flags & FLAG_REBUILT_STREAM)</div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">      _dpd.logMsg("A reassembled packet was received.\n");</div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">

<br></div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px"><div>But it's just being triggered sometimes, but not always, and as I can see in the wireshar, there are several rebuilt streams.</div>

<div><br></div><div>Just in case, I'm running the SNORT process with option "-k none".</div><div><br></div></div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">Thanks in advance,<br>

Emiliano.</div></div>