[Oisf-devel] Question about the stream management module (StreamTcp)

Peter Manev petermanev at gmail.com
Fri Jul 11 07:07:08 UTC 2014


On Thu, Jul 10, 2014 at 10:35 PM, Asim Jamshed <asim.jamshed at gmail.com> wrote:
> Oh okay... this makes sense now.
> So randomizing the chunk sizes seem to reduce the chances
> of the attack that I originally mentioned in the 2nd question,
>

correct.

> --Asim
>
> On Thu, Jul 10, 2014 at 1:34 AM, Victor Julien <victor at inliniac.net> wrote:
>> On 07/09/2014 08:10 PM, Asim Jamshed wrote:
>>> I have a follow-up question relating to the chunk size.
>>> What was the reason behind the decision to randomize
>>> the chunk sizes?
>>
>> We don't want the borders to be predicable. An attacker might split the
>> payload on the exact border.
>>
>> Cheers,
>> Victor
>>
>>>
>>> --Asim
>>>
>>> On Tue, Jul 8, 2014 at 10:19 AM, Asim Jamshed <asim.jamshed at gmail.com> wrote:
>>>> Thanks!
>>>>
>>>> On Tue, Jul 8, 2014 at 5:29 AM, Anoop Saldanha <anoopsaldanha at gmail.com> wrote:
>>>>> On Tue, Jul 8, 2014 at 1:49 PM, Victor Julien <victor at inliniac.net> wrote:
>>>>>> On 07/07/2014 05:04 PM, Anoop Saldanha wrote:
>>>>>>> On Mon, Jul 7, 2014 at 3:30 AM, Asim Jamshed <asim.jamshed at gmail.com> wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I have recently started using Suricata and have been browsing
>>>>>>>> the code. I have had previous practical and slight development
>>>>>>>> experience with Snort IDS. In specific, I have been trying to
>>>>>>>> analyze Suricata's stream management module. I haven't been
>>>>>>>> able to find enough documentation to answer a few questions I
>>>>>>>> had regarding the reassembly section of the module. The code
>>>>>>>> itself is somewhat complicated to follow. Therefore I am posting
>>>>>>>> the questions here. I apologize in advance if these questions
>>>>>>>> were previously asked as well.
>>>>>>>>
>>>>>>>> Q1. For a large (active) TCP flow, how many bytes (or segments)
>>>>>>>> does the module collect before it flushes it to the detect module.
>>>>>>>> I know that this variable can be adjusted via configuration file but
>>>>>>>> what is the default value? What is the name of the config variable
>>>>>>>> that can help me in changing that value?
>>>>>>>>
>>>>>>>
>>>>>>> If unspecified in the config file, it's 2560, else it's specify by the
>>>>>>> toserver-chunk-size option in the config file.
>>>>>>>
>>>>>>
>>>>>> By default some randomization is added as well, it will list the value
>>>>>> that is actually used at startup (if you use -v):
>>>>>>
>>>>>> [10054] 8/7/2014 -- 10:18:33 - (stream-tcp.c:570) <Info>
>>>>>> (StreamTcpInitConfig) -- stream.reassembly "toserver-chunk-size": 2634
>>>>>> [10054] 8/7/2014 -- 10:18:33 - (stream-tcp.c:572) <Info>
>>>>>> (StreamTcpInitConfig) -- stream.reassembly "toclient-chunk-size": 2440
>>>>>>
>>>>>
>>>>> Right.  I missed the randomization part.
>>>>>
>>>>> --
>>>>> -------------------------------
>>>>> Anoop Saldanha
>>>>> http://www.poona.me
>>>>> -------------------------------
>>>>> _______________________________________________
>>>>> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
>>>>> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
>>>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>>> Redmine: https://redmine.openinfosecfoundation.org/
>>>
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/



-- 
Regards,
Peter Manev



More information about the Oisf-devel mailing list