Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: Flow Up: Stream4 Previous: stream4_reassemble Format   Contents

Notes

Just setting the stream4 and stream4_reassemble directives without arguments in the snort.conf file will set them up in their default configurations shown in Table [*] and Table [*].



Table: Stream4 Defaults
Option Default
session timeout (timeout) 30 seconds
session memory cap (memcap) 8388608 bytes
stateful inspection (noinspect) active (noinspect disabled)
stream stats (keepstats) inactive
state problem alerts (detect_state_problems) inactive (detect_state_problems disabled)
evasion alerts (disable_evasion_alerts) inactive (disable_evasion_alerts enabled)
asynchronous link (asynchronous_link) inactive
log flushed streams (log_flushed_streams) inactive
max TCP sessions (max_sessions) 8192
session cache purge (cache_clean_sessions) 5
self preservation threshold (self_preservation_threshold) 50 sessions/sec
self preservation period (self_preservation_period) 90 seconds
suspend threshold (suspend_threshold) 200 sessions/sec
suspend period (suspend_period) 30 seconds
state protection (state_protection) inactive
server inspect limit (server_inspect_limit) -1 (inactive)
UDP session tracking (enable_udp_sessions) inactive
max UDP sessions (max_udp_sessions) 8192


Table: stream4_reassemble Defaults
Option Default
reassemble client (clientonly) active
reassemble server (serveronly) inactive
reassemble both (both) inactive
reassemble ports (ports) 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
emergency reassemble ports (ports) 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
reassembly alerts (noalerts) active (noalerts disabled)
favor old packet (favor_old) active
favor new packet (favor_new) inactive
flush on alert (flush_on_alert) inactive
overlap limit (overlap_limit) -1 (inactive)
large packet performance (large_packet_performance) inactive

next up previous contents
Next: Flow Up: Stream4 Previous: stream4_reassemble Format   Contents
Steven Sturges 2006-12-08
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.