[Oisf-devel] Question about the stream management module (StreamTcp)

Anoop Saldanha anoopsaldanha at gmail.com
Mon Jul 7 15:04:42 UTC 2014

On Mon, Jul 7, 2014 at 3:30 AM, Asim Jamshed <asim.jamshed at gmail.com> wrote:
> Hi,
> I have recently started using Suricata and have been browsing
> the code. I have had previous practical and slight development
> experience with Snort IDS. In specific, I have been trying to
> analyze Suricata's stream management module. I haven't been
> able to find enough documentation to answer a few questions I
> had regarding the reassembly section of the module. The code
> itself is somewhat complicated to follow. Therefore I am posting
> the questions here. I apologize in advance if these questions
> were previously asked as well.
> Q1. For a large (active) TCP flow, how many bytes (or segments)
> does the module collect before it flushes it to the detect module.
> I know that this variable can be adjusted via configuration file but
> what is the default value? What is the name of the config variable
> that can help me in changing that value?

If unspecified in the config file, it's 2560, else it's specify by the
toserver-chunk-size option in the config file.

> Q2. As far as I know, Snort's stream5 may have a vulnerability
> that it can not detect an attack string if the pattern spans across
> 2 or more reassembled segments. I know that the possibility of
> orchestrating such an attack by an actual adversary are slim. But
> I was wondering how Suricata's StreamTcp module deals
> with this issue.

Suricata has the same issue when inspecting the raw stream.

Anoop Saldanha

More information about the Oisf-devel mailing list