Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous
Next: 3.19 Where does one Up: 3 Configuring Snort Previous: 3.17 How does rule


3.18 How do I configure stream4?

Stream4 is an entirely new preprocessor that preforms two functions:

  • Stateful inspection of TCP sessions
  • TCP stream reassembly

Marty implemented stream4 out of the desire to have more robust stream reassembly capabilities and the desire to defeat the latest ``stateless attacks'' that have been coming out against Snort (c.f. stick and snot). Stream4 is written with the intent to let Snort be able to handle performing stream reassembly for ``enterprise class'' users, people who need to track and reassemble more than 256 streams simultaneously. Marty optimized the code fairly extensively to be robust, stable, and fast. The testing and calculations I've performed lead me to be fairly confident that stream4 can provide full stream reassembly for several thousand simultaneous connections and stateful inspection for upwards of 64,000 simultaneous sessions.

Stream4 is a large and complex piece of code (almost 2000 lines) and there are a lot of options associated with its runtime configuration, so I'll go over them here. 

preprocessor stream4: [noinspect], [keepstats], [timeout <seconds>], [memcap]

stream4_reassemble defaults: 

Reassemble client: ACTIVE 
Reassemble server: INACTIVE 
Reassemble ports: 21 23 25 53 80 143 110 111 513 
Reassembly alerts: ACTIVE

There is a new command line switch that is used in concert with the stream4 code, ``-z''. The -z switch can take one of two arguments: ``est'' and ``all''. The ``all'' argument is the default if you don't specify anything and tells Snort to alert normally. If the -z switch is specified with the ``est'' argument, Snort will only alert (for TCP traffic) on streams that have been established via a three way handshake or streams where cooperative bidirectional activity has been observed (i.e. where some traffic went one way and something other than a RST or FIN was seen going back to the originator). With ``-z est'' turned on, Snort completely ignores TCP-based stick/snot ``attacks''.

next up previous
Next: 3.19 Where does one Up: 3 Configuring Snort Previous: 3.17 How does rule
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.