Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: Stream4 Format Up: Preprocessors Previous: Frag 3 Alert Output   Contents


Stream4

The Stream4 module provides TCP stream reassembly and stateful analysis capabilities to Snort. Robust stream reassembly capabilities allow Snort to ignore "stateless" attacks (which include the types of attacks that Stick and Snot produce). Stream4 also gives large scale users the ability to track many simultaneous TCP streams. Stream4 is set to handle 8192 simultaneous TCP connections in its default configuration; however, it scales to handle over 100,000 simultaneous connections.

Stream4 can also provide session tracking of UDP conversations. To enable this in the Snort binary, pass -enable-stream4udp to configure before compiling. You will also need to enable it in the stream4 configuration.

Stream4 contains two configurable modules: the global stream4 preprocessor and the stream4_reassemble preprocessor.

Note:   Additional options can be used if Snort is running in inline mode. See Section [*] for more information.


Subsections
Steven Sturges 2006-12-08
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.