Re: Reassembled packets from Frag3 and Stream5

[Wu Wei Dong <wu_weidong () yahoo com>]

So it's possible for the pseudo-packets reassembled by Frag3 and Stream5 to be identical, in terms of both the headers 
and payload, if the fragments are the same? Do the pseudo-packets go through the preprocessors again, since the decoder 
comes before the preprocessors?

Also, what do you mean by "performance increase that is gained by handling flows with an understanding of the stream 
state."?

Thank you.

Regards,
Rayne

--- On Tue, 10/14/08, Matt Olney <molney () sourcefire com> wrote:

> From: Matt Olney <molney () sourcefire com>
> Subject: Re: [Snort-users] Reassembled packets from Frag3 and Stream5
> To: hjazz6 () ymail com
> Cc: snort-users () lists sourceforge net
> Date: Tuesday, October 14, 2008, 9:00 PM
> The reassembled packets are identical to the combined
> payloads of the
> packets that are reassembled.  Snort reinjects the
> reassembled packets
> (pseudopackets) at the decoder level and detection is run
> against the
> reassembled packets.  While this does indeed add load to
> the system, this
> cost is entirely acceptable given the decrease in trivial
> evasion
> possibilies and is more than offset by the by performance
> increase that is
> gained by handling flows with an understanding of the
> stream state.
>
> Matt
>
> On Tue, Oct 14, 2008 at 4:42 AM, Rayne
> <hjazz6 () ymail com> wrote:
>
> > Hi all,
> >
> > I know that Frag3 reassembles IP fragments, and
> Stream5 reassembles TCP
> > fragments. So are the reassembled packets identical,
> i.e. in terms of
> > payload? And wouldn't this increase the volume of
> traffic passed into the
> > detection engine and cause it to run slower, since
> there are now more
> > packets to check against the rules?
> >
> > Thank you.
> >
> > Regards,
> > Rayne
> -------------------------------------------------------------------------
> > This SF.Net email is sponsored by the Moblin Your Move
> Developer's
> > challenge
> > Build the coolest Linux based applications with Moblin
> SDK & win great
> > prizes
> > Grand prize is a trip for two to an Open Source event
> anywhere in the world
> >
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> >
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list
> archive:
> >
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move
> Developer's challenge
> Build the coolest Linux based applications with Moblin SDK
> & win great prizes
> Grand prize is a trip for two to an Open Source event
> anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



      

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users