Re: [Snort-inline-users] logging of timed out connections in stream4

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Wednesday 07 July 2004 17:40, William Metcalf wrote:
> iptables handles fragment reassembly, the reassembly portion of stream4
> will not work without stream4 enabled.  So yes you would miss alerts, need
> to look at reassembly and see if they have changed the way that the uber
> packet is constructed.  Thanks for the reminder : - )

So basicly, for optimal security, it's not a question wether to use stream4=
 &=20
stream4_reassebly or not. For optimal security we want to use it. Correct?

>
> Regards,
>
> Will
>
>
>
>              Victor Julien
>              <vi...@nk...>
>              Sent by:                                                   To
>              snort-inline-user         Geffrey Vel=E1squez
>              s-...@li...u         <gve...@mi...>
>              rceforge.net                                               cc
>                                        sno...@li...urceforg
>                                        e.net
>              07/07/2004 10:16                                      Subject
>              AM                        Re: [Snort-inline-users] logging of
>                                        timed out connections in stream4
>
>
>
>
>
>
>
>
>
>
> On Wednesday 07 July 2004 17:07, Geffrey Vel=E1squez wrote:
>
> <snip>
>
> > >>Victor, we are using the stateful inspection with Netfilter/Iptables,
> > >>and maybe we could disable the stream4 preprocessor, what is your
> > >>opinion. Maybe we could do some test with tools like stick and inject
> > >>packets in both scenarios, with stream4 enabled and disabled and rely
>
> on
>
> > >>Netfilter stateful inspection...
> > >
> > >Ehhhh...... Now i'm confused about the use of the stream4
>
> preprocessor...
>
> > > is it 'only' a stateful inspection engine? I guess in that case we
> > > wouldn't need it when using Netfilter stateful inspection... or does =
it
> > > have other advantages (oh well, i guess you want to test just that!)
> > >
> > >Will all rules work as they should when the stream4 preproc is disable=
d,
> > > and we rely on iptables for the stateful inspection?
> > >
> > >Victor
> >
> > Stream4 for  session  tracking,  scan detections and other anomalyes.
>
> I was under the impression (correct me if i'm wrong) that the stream4
> preproc
> is also used to reconstruct a connection so we can inspect data that is
> spread over multiple packets and fragments. How would this work when using
> the iptables stateful inspection? Or am i missing the point here?
>
> Regards,
> Victor
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users