Menu
▾
▴
Re: [Snort-inline-users] logging of timed out connections in stream4
|
From: Victor J. <vi...@nk...> - 2004-07-07 16:03:32
|
On Wednesday 07 July 2004 17:45, Geffrey Vel=E1squez wrote: > Victor Julien escribi=F3: > >On Wednesday 07 July 2004 17:07, Geffrey Vel=E1squez wrote: > > > ><snip> > > > >>>>Victor, we are using the stateful inspection with Netfilter/Iptables, > >>>>and maybe we could disable the stream4 preprocessor, what is your > >>>>opinion. Maybe we could do some test with tools like stick and inject > >>>>packets in both scenarios, with stream4 enabled and disabled and rely > >>>> on Netfilter stateful inspection... > >>> > >>>Ehhhh...... Now i'm confused about the use of the stream4 > >>> preprocessor... is it 'only' a stateful inspection engine? I guess in > >>> that case we wouldn't need it when using Netfilter stateful > >>> inspection... or does it have other advantages (oh well, i guess you > >>> want to test just that!) > >>> > >>>Will all rules work as they should when the stream4 preproc is disable= d, > >>>and we rely on iptables for the stateful inspection? > >>> > >>>Victor > >> > >>Stream4 for session tracking, scan detections and other anomalyes. > > > >I was under the impression (correct me if i'm wrong) that the stream4 > > preproc is also used to reconstruct a connection so we can inspect data > > that is spread over multiple packets and fragments. How would this work > > when using the iptables stateful inspection? Or am i missing the point > > here? > > > >Regards, > >Victor > > stream4 does session reassenbly (reassenbles the tcp stream) also frag2 > does packet reassenbly but it is disable in the default > snort_inline.conf : > > # Done by IPTables. Iptables assembles fragments when we use connection > # tracking; therefore, we don't have to use frag2 > # preprocessor frag2 > > The answer is above, and... maybe we must evaluate if we could avoid > stream4 Based on what William Metcalf just wrote, i think we can't. It would mean w= e=20 could miss alerts, which would mean less security... > > Geffrey > > >------------------------------------------------------- > >This SF.Net email sponsored by Black Hat Briefings & Training. > >Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > >digital self defense, top technical experts, no vendor pitches, > >unmatched networking opportunities. Visit www.blackhat.com > >_______________________________________________ > >Snort-inline-users mailing list > >Sno...@li... > >https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
