[Oisf-devel] TCP stream reassembly

Victor Julien victor at inliniac.net
Wed Nov 9 17:27:57 UTC 2011

Neither Snort nor Suricata uses libnids. If you're interested in the
Suricata stream reassembly code, check the source, I'd start with
StreamTcpReassembleHandleSegment in src/stream-tcp-reassemble.c


On 11/01/2011 04:12 PM, Kevin Ross wrote:
> Sorry I am not familiar as I am not really a programmer. I would recommend
> however using latest snort builds for this rather than 2.8.6 because it
> means you can get more familiar with current detection capabilities as well
> as possible fixes & improvements in the code.
> Snort certainly does need libdnet, libnet etc before you can compile but I
> don't know any specifics. I have also copied in the oisf-devel so perhaps
> someone there may be kind enough to help or perhaps point you in the right
> direction of where to look using suricata (
> http://www.openinfosecfoundation.org/index.php/downloads) instead on their
> stream reassembly if snort community/VRT doesn't get back to you.
> 2011/11/1 anjing83830 at 163.com <anjing83830 at 163.com>
>> hello:
>>       Thank you for your reply!
>>    I read the user manual and configure the snort.conf,it running.And
>> recently i am studying snort-2.8.6 source code,but i  can not find out
>> the tcp stream reassembly function,just find the stream5 preprocessor
>> function is "stream5process".So i don't know how to realize tcp stream
>> reasembly moudle,in the internet someone mentioned that snort tcp
>> stream reassembly is based on Libnids,use libnids api to reassemble
>> tcp stream,isn't it?
>>       If you familiar with snort source code,i look forward to your
>> help.
>>       Thank you !
>> On 11月1日, 下午4时53分, Kevin Ross <kevros... at googlemail.com> wrote:
>>> Yes it does using the stream5 preprocessor. Read the snort manual on
>>> configuring the stream5 preprocessor for more info and look at the
>> example
>>> configuration in the snort.conf distributed with snort source. You may
>> also
>>> want to look at a tool called hogger (google snort hogger or hogger host
>>> attribute file). That tool can take nmap scans of your network and
>> generate
>>> host attribute files which are like maps of the network and is used for
>>> both applying rules I believe to traffic flows as well as stream and
>>> fragment reassembly (makes it more accurate for things like if it is a
>> BSD
>>> based OS, Linux, Windows etc it will make sure it resembles correctly for
>>> the OS. If think this helps accuracy, limits false positives and perhaps
>>> also performance though not sure on that one though it certainly doesn't
>>> make it any worse.
>>> On 1 November 2011 03:09, anjing83... at 163.com <anjing83... at 163.com>
>> wrote:
>>>> Does Snort perform TCP stream reassembly?How to do?
>>>> Thank you!
>>>> --
>>>> To post to this group, send email to snortusers at googlegroups.com
>>>> Please visithttp://blog.snort.orgfor the latest news about Snort!-
>> 隐藏被引用文字 -
>>> - 显示引用的文字 -
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list