Snort - the de facto standard for intrusion detection/prevention
the de facto standard for IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: Notes Up: Stream4 Previous: Stream4 Format   Contents

stream4_reassemble Format 

preprocessor stream4_reassemble: [clientonly], [serveronly], [both], [noalerts], \
                                 [favor_old], [favor_new], [flush_on_alert], \
                                 [flush_behavior random|default|large_window], \
                                 [flush_base <number>], [flush_range <number>], \
                                 [flush_seed <number>], [overlap_limit <number>], \
                                 [ports <portlist>], [emergency_ports <portlist>] \
                                 [zero_flushed_packets], [flush_data_diff_size <number>] \
                                 [large_packet_performance]
Option Description
clientonly Provides reassembly for the client side of a connection only.
serveronly Provides reassembly for the server side of a connection only.
both Reassemble for client and server sides of connection.
noalerts Won't alert on events that may be insertion or evasion attacks.
favor_old Favor old segments based on sequence number over a new segments.
favor_new Favor new segments based on sequence number over a old segments.
flush_on_alert Flush a stream when an individual packet causes an alert.
flush_behavior random|default|large_window Use specified flush behavior. default means use old static flush points. large_window means use new larger flush points. random means use random flush points defined by flush_base, flush_seed and flush_range.
flush_base <number> Lowest allowed random flush point. The default value is 512 bytes. Only used if flush_behavior is random.
flush_range <number> Space within random flush points are generated. The default value is 1213. Only used if flush_behavior is random.
flush_seed <number> Random seed for flush points. The default value is computed from Snort PID + time. Only used if flush_behavior is random.
overlap_limit <number> Alert when the number of overlapping data bytes reaches a threshold.
ports <portlist> Provides reassembly for a whitespace-separated list of ports. By default, reassembly is performed for ports 21, 23, 25, 42, 53, 80, 110, 111, 135, 136, 137, 139, 143, 445, 513, 1443, 1521, and 3306. To perform reassembly for all ports, use all as the port list.
emergency_ports <portlist> Emergency ports are those which we ALWAYS do reassembly when in 'self-preservation' mode. They are used to have a lowest level when snort is under duress because of high traffic rates. The default ports are the same as for the ports option.
flush_data_diff_size <number> minumum size of a packet to zero out the empty space in a rebuilt packet.
zero_flushed_packets Zero out any space that is not filled in when flushing a rebuilt packet.
large_packet_performance Do not buffer and reassemble consecutive large packets (larger than twice the flush point). The chances of catching an attack that spans those large packets is small, compared to the CPU and memory utilization to copy and re-copy the large packet.

next up previous contents
Next: Notes Up: Stream4 Previous: Stream4 Format   Contents
Steven Sturges 2007-05-11
Terms of Use | Privacy Policy | forum archives | site feedback ©2009 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.