Re: preprocessor normalize_tcp: ips

[Russ Combs <rcombs () sourcefire com>]

On Tue, Jan 10, 2012 at 9:06 AM, Jason Wallace <jason.r.wallace () gmail com>wrote:

> So is it safe to say that this option should not be used in an
> environment with a large number of host OSs that use a different
> reassembly method?

Wally, in inline mode, normalize_tcp: ips forces the reassembly policy to
first and ensures that any retransmitted data is the same as the original.
 It therefore won't matter how the hosts do reassembly.  So this option
should be used if you are inline.

> On Mon, Jan 9, 2012 at 4:31 PM, Russ Combs <rcombs () sourcefire com> wrote:
> > On Mon, Jan 9, 2012 at 12:18 PM, Jason Wallace <
> jason.r.wallace () gmail com>
> > wrote:
> > > Howdy,
> > >
> > > The manual states that if you set "preprocessor normalize_tcp: ips"
> > > that the ips option "ensure consistency in retransmitted data (also
> > > forces reassembly policy to "first"). Any segments that can't be
> > > properly reassembled will be dropped." Is this for streams or
> > > fragments?
> >
> >
> > Streams only.
> >
> > > Also, How does this affect later settings for stream5 and
> > > frag3?  Does it make host specific settings irrelevant?
> >
> >
> > It only overrides the reassembly policy.
> > > Thx,
> > > Wally
> ------------------------------------------------------------------------------
> > > Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a
> complex
> > > infrastructure or vast IT resources to deliver seamless, secure access
> to
> > > virtual desktops. With this all-in-one solution, easily deploy virtual
> > > desktops for less than the cost of PCs and save 60% on VDI
> infrastructure
> > > costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > > news!
------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!