snort-devel July 2008 archive
Main Archive Page > Month Archives  > snort-devel archives
snort-devel: Re: [Snort-devel] Stream5 Question

Re: [Snort-devel] Stream5 Question

From: Steven Sturges <steve.sturges_at_nospam>
Date: Mon Jul 07 2008 - 17:37:38 GMT
To: snort user <snort.user@gmail.com>


Yes, Stream5 has been in use for a fairly significant amount of time and is just as stable, if not more so than Stream4.

The target-based reassembly is certainly the biggest feature of Stream5 when compared to Stream4. It emulates the documented systems very well in terms of handling overlapping data, resets, data on SYN, etc. Stream5 is also better at handling gaps in the data because of missed packets.

There are a number of other changes/updates in terms of processing TCP state transitions that are better handled by Stream5.

Stream5 has better performance in terms of caching the TCP segment data and doing the reassembly itself.

With SnortSP, Stream4 is not supported. ;)

Cheers.
-steve

snort user wrote:
> Hello and Greetings
>
> Stream5 has been in snort for quite sometime now, I am assuming that
> it is as stable as stream4
> (correct me if I am wrong)
>
> Having noted that, what are the features that are present in one and
> not the other?
>
> The obvious addition in stream5 is the 'target based reassembly'.
> I checked the READMEs and did not find anything else standing out.
>
> Are there any more features that Stream5 provides that are not there in Stream4?
> Are there any features that are missing in stream5 from stream4?
>
> Is one (stream4 or stream5) superior to the other from experience?
>
> Thanks !!
>
>
> On Wed, Sep 5, 2007 at 4:03 PM, Steven Sturges
> <steve.sturges@sourcefire.com> wrote:
>> Yes, that is correct. >> >> snort user wrote: >>> And when a reassembly is done, both the reassembled stream as well as >>> the current packet goes through the matching engine, right ? >>> (in both modes - window and flush) >>> >>> >>> >>> >>> On 9/5/07, Steven Sturges <steve.sturges@sourcefire.com> wrote: >>>> By deafult Stream5 reassembles every 'n' segments, based on a flush point. >>>> >>>> However, any session can be programatically changed/configured to >>>> use the sliding window policy, which would reassemble with every >>>> segment along a sliding window that is larger than the flush point. >>>> Have a look at the stream api header file for details on the >>>> set_reassembly() function. >>>> >>>> Cheers. >>>> -steve >>>> >>>> snort user wrote: >>>>> Hello and Greetings. >>>>> >>>>> Does stream5, in the inline mode, perform reassembly for every tcp >>>>> segment (with data) ? >>>>> or is it done every 'n' segments (where n > 1) based on when the flush >>>>> point is reached ? >>>>> >>>>> Thanks >>>>> >>>>> ------------------------------------------------------------------------- >>>>> This SF.net email is sponsored by: Splunk Inc. >>>>> Still grepping through log files to find problems? Stop. >>>>> Now Search log events and configuration files using AJAX and a browser. >>>>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>>>> _______________________________________________ >>>>> Snort-devel mailing list >>>>> Snort-devel@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel >>>>> >>> ------------------------------------------------------------------------- >>> This SF.net email is sponsored by: Splunk Inc. >>> Still grepping through log files to find problems? Stop. >>> Now Search log events and configuration files using AJAX and a browser. >>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>> _______________________________________________ >>> Snort-devel mailing list >>> Snort-devel@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/snort-devel >>>
>
> -------------------------------------------------------------------------
> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> Studies have shown that voting for your favorite open source project,
> along with a healthy diet, reduces your potential for chronic lameness
> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>



Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel