Next: stream4_reassemble Format
Up: Stream4
Previous: Stream4
Contents
preprocessor stream4: [noinspect], [asynchronous_link], [keepstats [machine|binary]], \
[detect_scans], [log_flushed_streams], [detect_state_problems], \
[disable_evasion_alerts], [timeout <seconds>], [memcap <bytes>], \
[max_sessions <num sessions>], [enforce_state], \
[cache_clean_sessions <num of sessions>], [ttl_limit <count>], \
[self_preservation_threshold <threshold>], \
[self_preservation_period <seconds>], \
[suspend_threshold <threshold>], [suspend_period <seconds>], \
[state_protection], [server_inspect_limit <bytes>], \
[enable_udp_sessions], [max_udp_sessions <num sessions>], \
[udp_ignore_any]
| Option |
Description |
|---|
| asynchronous_link |
Uses state transitions based only on one-sided conversation (no tracking of acknowledge/sequence numbers). |
| cache_clean_sessions <num sessions> |
Purges this number of least-recently used sessions from the session cache. |
| detect_scans |
Turns on alerts for portscan events. |
| detect_state_problems |
Turns on alerts for stream events of note, such as evasive RST packets, data on the SYN packet, and out of window sequence numbers. |
| enforce_state |
Enforces statefulness so that sessions aren't picked up mid-stream. |
| keepstats |
Records session summary information in  logdir /session.log. If no options are specified, output is human readable. |
| log_flushed_streams |
Log the packets that are part of reassembled stream. |
| disable_evasion_alerts |
Turns off alerts for events such as TCP
overlap. |
| timeout <seconds> |
Amount of time to keep an inactive stream in the state table; sessions that are flushed will automatically be picked up again if more activity is seen. The default value is 30 seconds. |
| memcap <bytes> |
Sets the number of bytes used to store packets for reassembly. |
| max_sessions <num sessions> |
Sets the maximum number of simultaneous sessions. |
| noinspect |
Disables stateful inspection. |
| ttl_limit <count> |
Sets the delta value that will set off an evasion alert. |
| self_preservation_threshold <threshold> |
Set limit on number of sessions before entering self-preservation mode (only reassemble data on the default ports). |
| self_preservation_period <seconds> |
Set length of time (seconds) to remain in self-preservation mode. |
| suspend_threshold <threshold> |
Sets limit on number of sessions before entering suspend mode (no reassembly). |
| suspend_period <seconds> |
Sets length of time (seconds) to remain in suspend mode. |
| server_inspect_limit <bytes> |
Restricts inspection of server traffic to this many bytes until another client request is seen (ie: client packet with data). |
| state_protection |
Protects self against DoS attacks. |
| enable_udp_sessions |
Enable UDP session tracking. |
| max_udp_sessions <num sessions> |
The maximum number of UDP sessions to be tracked. Default is 8192 if UDP sessions are enabled. |
| udp_ignore_any |
Ignore traffic on port without port-specific rules. The result of this is that NO rules (include IP only rules) are applied to UDP traffic that has a source/destination port that is listed in a port-specific ruls. |
Next: stream4_reassemble Format
Up: Stream4
Previous: Stream4
Contents
Steven Sturges
2006-12-08
|
