Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: Stream5 UDP Configuration Up: Stream5 Previous: Stream5 Global Configuration   Contents

Stream5 TCP Configuration

Provides a means on a per IP address target to configure TCP policy. This can have multiple occurances, per policy that is bound to an IP address or network. One default policy must be specified, and that policy is not bound to an IP address or network. 

preprocessor stream5_tcp: [bind_to <ip_addr>], [timeout <number secs>], \
                      [policy <policy_id>], [min_ttl <number>], \
                      [overlap_limit <number>], [max_window <number>], \
                      [require_3whs [<number secs>]], [detect_anomalies], \
                      [check_session_hijacking], [use_static_footprint_sizes], \
                      [dont_store_large_packets], \
                      [ports <client|server|both> <all|number [number]*>]

Option Description
bind_to <ip_addr> IP address or network for this policy. The default is set to any.
timeout <num seconds> Session timeout. The default is "30", the minimum is "1", and the maximum is "86400" (approximately 1 day).
policy <policy_id> The Operating System policy for the target OS. The policy_id can be one of the following:
Policy Name Operating Systems.
first Favor first overlapped segment.
last Favor first overlapped segment.
bsd FresBSD 4.x and newer, NetBSD 2.x and newer, OpenBSD 3.x and newer
linux Linux 2.4 and newer
old-linux Linux 2.2 and earlier
windows Windows 2000, Windows XP, Windows 95/98/ME
win2003 Windows 2003 Server
vista Windows Vista
solaris Solaris 9.x and newer
hpux HPUX 11 and newer
hpux10 HPUX 10
irix IRIX 6 and newer
macos MacOS 10.3 and newer
min_ttl <number> Minimum TTL. The default is "1", the minimum is "1" and the maximum is "255".
overlap_limit <number> Limits the number of overlapping packets per session. The default is "0" (unlimited), the minimum is "0", and the maximum is "255".
max_window <number> Maximum TCP window allowed. The default is "0" (unlimited), the minimum is "0", and the maximum is "1073725440" (65535 left shift 14). That is the highest possible TCP window per RFCs. This option is intended to prevent a DoS against Stream5 by an attacker using an abnormally large window, so using a value near the maximum is discouraged.
require_3whs [<number seconds>] Establish sessions only on completion of a SYN/SYN-ACK/ACK handshake. The default is set to off. The optional number of seconds specifies a startup timeout. This allows a grace period for existing sessions to be considered established during that interval immediately after Snort is started. The default is "0" (don't consider existing sessions established), the minimum is "0", and the maximum is "86400" (approximately 1 day).
detect_anomalies Detect and alert on TCP protocol anomalies. The default is set to off.
check_session_hijacking Check for TCP session hijacking. This check validates the hardware (MAC) address from both sides of the connect - as established on the 3-way handshake against subsequent packets received on the session. If an ethernet layer is not part of the protocol stack received by Snort, there are no checks performed. Alerts are generated (per 'detect_anomalies' option) for either the client or server when the MAC address for one side or the other does not match. The default is set to off.
use_static_footprint_sizes emulate Stream4 behavior for building reassembled packet. The default is set to off.
dont_store_large_packets Performance improvement to not queue large packets in reassembly buffer. The default is set to off. Using this option may result in missed attacks.
ports <client|server|both> <all|number(s)> Specify the client, server, or both and list of ports in which to perform reassembly. This can appear more than once in a given config. The default settings are ports client 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 514 1433 1521 2401 3306. The minimum port allowed is "1" and the maximum allowed is "65535".

Note:   If no options are specified for a given TCP policy, that is the default TCP policy. If only a bind_to option is used with no other options that TCP policy uses all of the default values.

next up previous contents
Next: Stream5 UDP Configuration Up: Stream5 Previous: Stream5 Global Configuration   Contents
Steven Sturges 2008-04-01
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.