Menu
▾
▴
Re: [Snort-inline-users] logging of timed out connections in stream4
|
From: <gve...@mi...> - 2004-07-07 15:45:33
|
Victor Julien escribió: >On Wednesday 07 July 2004 17:07, Geffrey Velásquez wrote: > ><snip> > > > >>>>Victor, we are using the stateful inspection with Netfilter/Iptables, >>>>and maybe we could disable the stream4 preprocessor, what is your >>>>opinion. Maybe we could do some test with tools like stick and inject >>>>packets in both scenarios, with stream4 enabled and disabled and rely on >>>>Netfilter stateful inspection... >>>> >>>> >>>Ehhhh...... Now i'm confused about the use of the stream4 preprocessor... >>>is it 'only' a stateful inspection engine? I guess in that case we >>>wouldn't need it when using Netfilter stateful inspection... or does it >>>have other advantages (oh well, i guess you want to test just that!) >>> >>>Will all rules work as they should when the stream4 preproc is disabled, >>>and we rely on iptables for the stateful inspection? >>> >>>Victor >>> >>> >>Stream4 for session tracking, scan detections and other anomalyes. >> >> > >I was under the impression (correct me if i'm wrong) that the stream4 preproc >is also used to reconstruct a connection so we can inspect data that is >spread over multiple packets and fragments. How would this work when using >the iptables stateful inspection? Or am i missing the point here? > >Regards, >Victor > > stream4 does session reassenbly (reassenbles the tcp stream) also frag2 does packet reassenbly but it is disable in the default snort_inline.conf : # Done by IPTables. Iptables assembles fragments when we use connection # tracking; therefore, we don't have to use frag2 # preprocessor frag2 The answer is above, and... maybe we must evaluate if we could avoid stream4 Geffrey > > >------------------------------------------------------- >This SF.Net email sponsored by Black Hat Briefings & Training. >Attend Black Hat Briefings & Training, Las Vegas July 24-29 - >digital self defense, top technical experts, no vendor pitches, >unmatched networking opportunities. Visit www.blackhat.com >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
