Menu
▾
▴
Re: [Snort-inline-users] logging of timed out connections in stream4
|
From: Victor J. <vi...@nk...> - 2004-07-07 15:17:06
|
On Wednesday 07 July 2004 17:07, Geffrey Vel=E1squez wrote: <snip> > >>Victor, we are using the stateful inspection with Netfilter/Iptables, > >>and maybe we could disable the stream4 preprocessor, what is your > >>opinion. Maybe we could do some test with tools like stick and inject > >>packets in both scenarios, with stream4 enabled and disabled and rely on > >>Netfilter stateful inspection... > > > >Ehhhh...... Now i'm confused about the use of the stream4 preprocessor... > > is it 'only' a stateful inspection engine? I guess in that case we > > wouldn't need it when using Netfilter stateful inspection... or does it > > have other advantages (oh well, i guess you want to test just that!) > > > >Will all rules work as they should when the stream4 preproc is disabled, > > and we rely on iptables for the stateful inspection? > > > >Victor > > Stream4 for session tracking, scan detections and other anomalyes. I was under the impression (correct me if i'm wrong) that the stream4 prepr= oc=20 is also used to reconstruct a connection so we can inspect data that is=20 spread over multiple packets and fragments. How would this work when using= =20 the iptables stateful inspection? Or am i missing the point here? Regards, Victor |
