[Oisf-devel] Question about the stream management module (StreamTcp)

[Asim Jamshed]

Hi,

I have recently started using Suricata and have been browsing
the code. I have had previous practical and slight development
experience with Snort IDS. In specific, I have been trying to
analyze Suricata's stream management module. I haven't been
able to find enough documentation to answer a few questions I
had regarding the reassembly section of the module. The code
itself is somewhat complicated to follow. Therefore I am posting
the questions here. I apologize in advance if these questions
were previously asked as well.

Q1. For a large (active) TCP flow, how many bytes (or segments)
does the module collect before it flushes it to the detect module.
I know that this variable can be adjusted via configuration file but
what is the default value? What is the name of the config variable
that can help me in changing that value?

Q2. As far as I know, Snort's stream5 may have a vulnerability
that it can not detect an attack string if the pattern spans across
2 or more reassembled segments. I know that the possibility of
orchestrating such an attack by an actual adversary are slim. But
I was wondering how Suricata's StreamTcp module deals
with this issue.

Thanks,
--Asim