[Oisf-devel] Question about the stream management module (StreamTcp)
Victor Julien
victor at inliniac.net
Thu Jul 10 08:34:17 UTC 2014
On 07/09/2014 08:10 PM, Asim Jamshed wrote:
> I have a follow-up question relating to the chunk size.
> What was the reason behind the decision to randomize
> the chunk sizes?
We don't want the borders to be predicable. An attacker might split the
payload on the exact border.
Cheers,
Victor
>
> --Asim
>
> On Tue, Jul 8, 2014 at 10:19 AM, Asim Jamshed <asim.jamshed at gmail.com> wrote:
>> Thanks!
>>
>> On Tue, Jul 8, 2014 at 5:29 AM, Anoop Saldanha <anoopsaldanha at gmail.com> wrote:
>>> On Tue, Jul 8, 2014 at 1:49 PM, Victor Julien <victor at inliniac.net> wrote:
>>>> On 07/07/2014 05:04 PM, Anoop Saldanha wrote:
>>>>> On Mon, Jul 7, 2014 at 3:30 AM, Asim Jamshed <asim.jamshed at gmail.com> wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I have recently started using Suricata and have been browsing
>>>>>> the code. I have had previous practical and slight development
>>>>>> experience with Snort IDS. In specific, I have been trying to
>>>>>> analyze Suricata's stream management module. I haven't been
>>>>>> able to find enough documentation to answer a few questions I
>>>>>> had regarding the reassembly section of the module. The code
>>>>>> itself is somewhat complicated to follow. Therefore I am posting
>>>>>> the questions here. I apologize in advance if these questions
>>>>>> were previously asked as well.
>>>>>>
>>>>>> Q1. For a large (active) TCP flow, how many bytes (or segments)
>>>>>> does the module collect before it flushes it to the detect module.
>>>>>> I know that this variable can be adjusted via configuration file but
>>>>>> what is the default value? What is the name of the config variable
>>>>>> that can help me in changing that value?
>>>>>>
>>>>>
>>>>> If unspecified in the config file, it's 2560, else it's specify by the
>>>>> toserver-chunk-size option in the config file.
>>>>>
>>>>
>>>> By default some randomization is added as well, it will list the value
>>>> that is actually used at startup (if you use -v):
>>>>
>>>> [10054] 8/7/2014 -- 10:18:33 - (stream-tcp.c:570) <Info>
>>>> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2634
>>>> [10054] 8/7/2014 -- 10:18:33 - (stream-tcp.c:572) <Info>
>>>> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2440
>>>>
>>>
>>> Right. I missed the randomization part.
>>>
>>> --
>>> -------------------------------
>>> Anoop Saldanha
>>> http://www.poona.me
>>> -------------------------------
>>> _______________________________________________
>>> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>> Redmine: https://redmine.openinfosecfoundation.org/
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list