Menu
▾
▴
[Snort-inline-users] Stream4 and snort_inline anybody have any ideas?
|
From: William M. <Wil...@kc...> - 2004-05-14 07:57:37
|
Alright so here is what I have found so far regarding snort_inline and = the stream4 preprocessor. From what I can tell when an alert is detected i= n traffic being reassembled in stream4. InlineDrop(); Is called and the= packet is properly dropped. I believe the problem is in the way that Stream4 handles an un-acked packet, It stores the packet and loops it through StoreStreamPkt waiting for an ack from our server that "should"= never answer. This would not be a problem if we could some how set an infinite PRUNE_QUANTA and STREAM4_TTL_LIMIT on packets that generated= an alert. If this were possible we could just wait for the RST from the se= rver in which case the session would be deleted from Stream4. Otherwise we = hit our TTL and PRUNE limits and the stream gets dropped from stream4 prematurely. I changed these values globally in my spp_stream4.c file,= and everything I have been throwing at snort_inline seems to get dropped correctly. The only thing I'm worried about is that on a busy network w= e would hit our memory limit for Stream4 and start pruning sessions becau= se of it. The default is 8mb, If you up these values I would also suggest= that up the amount of memory you are using for stream4. This method kin= d of stinks, Does anybody have a better Idea of how to do this without completely rewriting stream4? Is stream4 really worth all of the effort= . Is there anything else you guy's want would rather see working in snort_inline? Regards, Will= |
