Snort mailing list archives

Previous By Date Next
Previous By Thread Next

[snort-users] Stream5 doesn't take into account every TCP segment

From: Emiliano Fausto <emiliano.fausto () gmail com>
Date: Mon, 9 Dec 2013 10:36:18 -0200
Hello everyone,

I have the Stream5 preprocessor working (thanks to Hui from the developer's
team), but for some reason it's not taking into account every TCP segment.

Therefore, it's just reassembling some TCP segmented stream, but not all of
it.

I'm using Wireshark with the option to reassembly TCP, and it shows
correctly two packets reassembled. While the Stream5 preprocessor doesn't
take them into account to reassemble them.

I reviewed once and again the Stream5 options documentation in the
Stream5.README, I don't know what could be going on.

Here is the configuration I set for the preprocessor:

config pax_max: 16000
preprocessor stream5_global: track_tcp yes, \
    track_udp no, \
    track_icmp no, \
    max_tcp 262144, \
    max_active_responses 2, \
    min_response_seconds 5
preprocessor stream5_tcp: policy linux, \
    overlap_limit 0, timeout 180, \
    ports both 3200

And I'm running a dynamic preprocessor of mine which takes every
reassembled packet into account and just print a line:

if ((SFSnortPacket*) mypacket->flags & FLAG_REBUILT_STREAM)
      _dpd.logMsg("A reassembled packet was received.\n");

But it's just being triggered sometimes, but not always, and as I can see
in the wireshar, there are several rebuilt streams.

Just in case, I'm running the SNORT process with option "-k none".

Thanks in advance,
Emiliano.

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: