|
|
|
|
Snort Forums Archive
Archive Home » Snort Development » stream4 reassembly
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
stream4 reassembly
Posted by pdordal on December 05, 2005 14:17:02
I would like to know a little more about just what the stream4 tcp preprocessor assembles incoming packets *into*. I'm gathering that its output is a sequence of "superpackets" rather than a true bytestream. Am I on the right track here? More specifically,
* Where in spp_stream4.c (or elsewhere) is the "output" generated (that is, passed up to the detection layer)? FlushStream(Stream*, Packet*, int)?
* Is it possible for an attack to escape detection because it straddles the stream4 reassembly boundaries? Is this a concern?
* Is there stream4 documentation beyond what's in the snort manual? |
|
Posted by brevizniak on December 05, 2005 16:55:44
A psuedo packet is created and inspected like a standard packet. If an alert is generated and you are using unified output the member packets that created the psuedo packet will be output as an alert with the first packet associated and the remaining tagged to that alert.
IIRC FlushStream is the place. If you need more help on specifics I'll look at the code again when I have a few spare moments.
It could possible for an attack to escape detection by straddling a reassembly boundary but only if the attacker can predict the flushpounts. This is why the boundry randomization was added and it should mitigate the threat of predictable boundaries when used.
There is no detailed stream4 documentation beyond the manual and the code that I am aware of. |
|
|
|
|
|
