Re: Fw: [Snort-inline-users] snort_inline-2.1.2 released

[Federico P. <pe...@ac...>]

William Metcalf wrote:

> Anybody that needs a quick fix just remove the line in your 
> snort_inline.conf that reads
> 
> preprocessor stream4_reassemble: ports 3443, both
> 
> and replace with
> 
> preprocessor stream4_reassemble: both
> 
> preprocessor http_inspect: global \
> iis_unicode_map unicode.map 1252
> 
> preprocessor http_inspect_server: server default \
> profile all ports { 80 8080 8180 } oversize_dir_length 500

Hi all.

I'll like to ask two question about this:

- I don't understand exactly this thread... currently I am running
snort-inline 2.1.1 with a conf file and works ok. Is there any change in
2.1.2 that could make snort-inline stop working if I user the same conf
for 2.1.2?

- Some time ago, I found that, if I enable stream4, some packets that
actually should not pass snort-inle (because of drop rule hits) after a
lot a tries finally pass. After asking about this in the list, Pieter
Claassen told me that:

...
The core code is the same for SNIL and Snort but the preprocessors is
another story. The basic problem with stream4 is that it creates an
"uber" packet that it then re-injects into the analysis stream so that
attacks that normally would not be picked up because of boundary splits
then get picked up. Stream4 normally reassembles about 4 Meg of data per
stream if I remember correctly.

In inline mode the basic problem is that the data already passed through
the device by the time that the traditional stream4 approach picks the
anomaly up. So how do you drop data that is already through?
...


Is the stream4 problem solved? the only workaround that I found to that
was to comment out all the stream4 preprocessor lines in the conf.


Thank for...
-- 
                                         Federico Petronio
                                         pe...@ac...