'Re: [Snort-devel] Stream5 Question'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-devel
Subject:    Re: [Snort-devel] Stream5 Question
From:       Steven Sturges <steve.sturges () sourcefire ! com>
Date:       2007-09-05 20:03:05
Message-ID: 46DF0B79.3050202 () sourcefire ! com
[Download RAW message or body]

Yes, that is correct.

snort user wrote:
> And when a reassembly is done, both the reassembled stream as well as
> the current packet goes through the matching engine, right ?
> (in both modes - window and flush)
> 
> 
> 
> 
> On 9/5/07, Steven Sturges <steve.sturges@sourcefire.com> wrote:
>> By deafult Stream5 reassembles every 'n' segments, based on a flush point.
>>
>> However, any session can be programatically changed/configured to
>> use the sliding window policy, which would reassemble with every
>> segment along a sliding window that is larger than the flush point.
>> Have a look at the stream api header file for details on the
>> set_reassembly() function.
>>
>> Cheers.
>> -steve
>>
>> snort user wrote:
>>> Hello and Greetings.
>>>
>>> Does stream5, in the inline mode, perform reassembly for every tcp
>>> segment (with data) ?
>>> or is it done every 'n' segments (where n > 1) based on when the flush
>>> point is reached ?
>>>
>>> Thanks
>>>
>>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by: Splunk Inc.
>>> Still grepping through log files to find problems?  Stop.
>>> Now Search log events and configuration files using AJAX and a browser.
>>> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic