| Search Site |
| Search Rules |
| Account |
| not registered? |
| can't login? |
| user preferences |
 |
 |
|
|||||||||||||||||||
Next: 3.19 Where does one Up: 3 Configuring Snort Previous: 3.17 How does rule
3.18 How do I configure stream4?
Stream4 is an entirely new preprocessor that preforms two functions:
- Stateful inspection of TCP sessions
- TCP stream reassembly
Marty implemented stream4 out of the desire to have more robust stream reassembly capabilities and the desire to defeat the latest ``stateless attacks'' that have been coming out against Snort (c.f. stick and snot). Stream4 is written with the intent to let Snort be able to handle performing stream reassembly for ``enterprise class'' users, people who need to track and reassemble more than 256 streams simultaneously. Marty optimized the code fairly extensively to be robust, stable, and fast. The testing and calculations I've performed lead me to be fairly confident that stream4 can provide full stream reassembly for several thousand simultaneous connections and stateful inspection for upwards of 64,000 simultaneous sessions.
Stream4 is a large and complex piece of code (almost 2000 lines) and there are a lot of options associated with its runtime configuration, so I'll go over them here.
preprocessor stream4: [noinspect], [keepstats], [timeout <seconds>], [memcap]
stream4_reassemble defaults:
Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE
Next: 3.19 Where does one Up: 3 Configuring Snort Previous: 3.17 How does rule Nigel Houghton 2006-10-02
| site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved. |