The Stream preprocessor is a target-based TCP reassembly module for Snort. It replaces both the Stream5 and the earlier Stream4 and flow preprocessors, and it is capable of tracking sessions fo"/>
The Stream preprocessor is a target-based TCP reassembly module for Snort. It replaces both the Stream5 and the earlier Stream4 and flow preprocessors, and it is capable of tracking sessions for both TCP and UDP.
Since Stream replaces Stream5, both cannot be used simultaneously. Stream registers for the same configuration keywords as Stream5 with the exception of ‘stream5_global’, which is now processed by the Session preprocessor. Existing configuration files should continure to work with the Stream as long as there is only one ‘stream5_global’ and it is included with the global options of the base policy.
TCP sessions are identified via the classic TCP “connection”. UDP sessions are established as the result of a series of UDP packets from two end points via the same set of ports. ICMP messages are tracked for the purposes of checking for unreachable and service unavailable messages, which effectively terminate a TCP or UDP session.
Stream, like Frag3, introduces target-based actions for handling of overlapping data and other TCP anomalies. The methods for handling overlapping data, TCP Timestamps, Data on SYN, FIN and Reset sequence numbers, etc. and the policies supported by Stream are the results of extensive research with many target operating systems.
Stream supports the modified Stream API that is now focused on functions specific to reassembly and protocol aware flushing operations. Session management functions have been moved to the Session API. The remaining API functions enable other protocol normalizers/preprocessors to dynamically configure reassembly behavior as required by the application layer protocol.
TCP protocol anomalies, such as data on SYN packets, data received outside the TCP window, etc are configured via the detect_anomalies option to the TCP configuration. Some of these anomalies are detected on a per-target basis. For example, a few operating systems allow data in TCP SYN packets, while others do not.
Protocol aware flushing of HTTP, SMB and DCE/RPC can be enabled with this option:
Stream adds support for a few rule options described below.
The ‘stream_size’ rule option allows a rule to match traffic according to the number of bytes observed, as determined by the TCP sequence numbers.
stream_size takes a number of comma-separated arguments in the following format:
Where direction is one of:
client - Client side traffic only server - Sever side traffic only both - Traffic from both sides either - Traffic from either side
Valid operators are:
= < > != <= >=
The ‘stream_reassemble’ rule option allows a rule to enable or disable TCP stream reassembly on matching traffic.
stream_reassemble takes a number of comma-separated arguments in the following format:
stream_reassemble:<enable|disable>,<server|client|both> [,noalert] [,fastpath]
To disable TCP reassembly for client traffic when we see a HTTP 200 Ok Response message:
alert tcp any 80 -> any any (flow:to_client,established; content:"200 OK"; stream_reassemble:disable,client,noalert;)
Global Configuration ——————– Global settings prevousily processed by Stream5 are now handled by Session. Stream calls as Session API method to get a copy of these settings for its use. Refer to README.session for details on the global configuration options.
Provides a means on a per IP address target to configure a TCP policy. This can have multiple occurrences, per policy that is bound to an IP address or network. One default policy must be specified, and that policy is not bound to an IP address or network.
If no options are specified for a given TCP policy, that is the default TCP policy. If only a bind_to option is used with no other options that TCP policy uses all of the default values.
Configuration for UDP session tracking. Since there is no target based binding, there should be only one occurrence of the UDP configuration. - Preprocessor name: stream5_udp - Options: timeout <number (secs)> - Session timeout. The default is “30”, the minimum is “1”, and the maximum is “86400” (approximately 1 day). ignore_any_rules - Don’t process any -> any (ports) rules for UDP that attempt to match payload if there are no port specific rules for the src or destination port. Rules that have flow or flowbits will never be ignored. This is a performance improvement, but may result in missed attacks. Using this does not affect rules that look at protocol headers, only those with content, PCRE, or byte test options. The default is “off”.
NOTE: with the ignore_any_rules option, a UDP rule will be ignored except when there is another port specific rule that may be applied to the traffic. For example, if a UDP rule specifies destination port 53, the ‘ignored’ any -> any rule will be applied to traffic to/from port 53, but NOT to any other source or destination port. A list of rule SIDs affected by this option are printed at Snort’s startup.
NOTE: with the ignore_any_rules option, if a UDP rule that uses any -> any ports includes either flow or flowbits, the ignore_any_rules option is effectively pointless. Because of the potential impact of disabling a flowbits rule, the ignore_any_rules option will be disabled in this case.
NOTE: ICMP is currently untested, in minimal code form and is NOT ready for use in production networks. It is not turned on by default.
Configuration for ICMP session tracking. Since there is no target based binding, there should be only one occurrence of the ICMP configuration. - Preprocessor name: stream5_icmp - Options: timeout <number (secs)> - Session timeout. The default is “30”, the minimum is “1”, and the maximum is “86400” (approximately 1 day).
1) This example configuration emulates the behavior of Stream4 (with UDP support enabled).
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp yes, track_icmp no preprocessor stream5_tcp: policy first, use_static_footprint_sizes preprocessor stream5_udp: ignore_any_rules
2) This configuration maps two network segments to different reassembly policies, one for Windows, one for Linux, with all other traffic falling to the default policy Solaris.
preprocessor stream5_global: track_tcp yes preprocessor stream5_tcp: bind_to 192.168.1.0/24, policy windows preprocessor stream5_tcp: bind_to 10.1.1.0/24, policy linux preprocessor stream5_tcp: policy solaris
Stream uses generator ID 129. It is capable of alerting on 10 anomalies, all of which relate to TCP anomalies. There are no anomaly detection capabilities for UDP or ICMP. Check etc/gen-msg.map for the current list of GID 129 alerts.