Provides a means on a per IP address target to configure TCP policy. This can have multiple occurrences, per policy that is bound to an IP address or network. One default policy must be specified, and that policy is not bound to an IP address or network.
preprocessor stream5_tcp: \
[bind_to <ip_addr>], \
[timeout <number secs>], [policy <policy_id>], \
[overlap_limit <number>], [max_window <number>], \
[require_3whs [<number secs>]], [detect_anomalies], \
[check_session_hijacking], [use_static_footprint_sizes], \
[dont_store_large_packets], [dont_reassemble_async], \
[max_queued_bytes <bytes>], [max_queued_segs <number segs>], \
[small_segments <number> bytes <number> [ignore_ports number [number]*]], \
[ports <client|server|both> <all|number [number]*>], \
[protocol <client|server|both> <all|service name [service name]*>], \
[ignore_any_rules], [flush_factor <number segs>]
| Option | Description | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| bind_to <ip_addr> | IP address or network for this policy. The default is set to any. |
||||||||||||||||||||||||||||
| timeout <num seconds> | Session timeout. The default is "30", the minimum is "1", and the maximum is "86400" (approximately 1 day). |
||||||||||||||||||||||||||||
| policy <policy_id> | The Operating System policy for the target OS. The policy_id can be one of the following:
|
||||||||||||||||||||||||||||
| overlap_limit <number> | Limits the number of overlapping packets per session. The default is "0" (unlimited), the minimum is "0", and the maximum is "255". |
||||||||||||||||||||||||||||
| max_window <number> | Maximum TCP window allowed. The default is "0" (unlimited), the minimum is "0", and the maximum is "1073725440" (65535 left shift 14). That is the highest possible TCP window per RFCs. This option is intended to prevent a DoS against Stream5 by an attacker using an abnormally large window, so using a value near the maximum is discouraged. |
||||||||||||||||||||||||||||
| require_3whs [<number seconds>] | Establish sessions only on completion of a SYN/SYN-ACK/ACK handshake. The default is set to off. The optional number of seconds specifies a startup timeout. This allows a grace period for existing sessions to be considered established during that interval immediately after Snort is started. The default is "0" (don't consider existing sessions established), the minimum is "0", and the maximum is "86400" (approximately 1 day). |
||||||||||||||||||||||||||||
| detect_anomalies | Detect and alert on TCP protocol anomalies. The default is set to off. |
||||||||||||||||||||||||||||
| check_session_hijacking | Check for TCP session hijacking. This check validates the hardware (MAC) address from both sides of the connect - as established on the 3-way handshake against subsequent packets received on the session. If an ethernet layer is not part of the protocol stack received by Snort, there are no checks performed. Alerts are generated (per 'detect_anomalies' option) for either the client or server when the MAC address for one side or the other does not match. The default is set to off. |
||||||||||||||||||||||||||||
| use_static_footprint_sizes | Use static values for determining when to build a reassembled packet to allow for repeatable tests. This option should not be used production environments. The default is set to off. |
||||||||||||||||||||||||||||
| dont_store_large_packets | Performance improvement to not queue large packets in reassembly buffer. The default is set to off. Using this option may result in missed attacks. |
||||||||||||||||||||||||||||
| dont_reassemble_async | Don't queue packets for reassembly if traffic has not been seen in both directions. The default is set to queue packets. |
||||||||||||||||||||||||||||
| max_queued_bytes <bytes> | Limit the number of bytes queued for reassembly on a given TCP session to bytes. Default is "1048576" (1MB). A value of "0" means unlimited, with a non-zero minimum of "1024", and a maximum of "1073741824" (1GB). A message is written to console/syslog when this limit is enforced. |
||||||||||||||||||||||||||||
| max_queued_segs <num> | Limit the number of segments queued for reassembly on a given TCP session. The default is "2621", derived based on an average size of 400 bytes. A value of "0" means unlimited, with a non-zero minimum of "2", and a maximum of "1073741824" (1GB). A message is written to console/syslog when this limit is enforced. |
||||||||||||||||||||||||||||
| small_segments <number> bytes <number> [ignore_ports <number(s)> ] | Configure the maximum small segments queued. This feature requires that detect_anomalies be enabled. The first number is the number of consecutive segments that will trigger the detection rule. The default value is "0" (disabled), with a maximum of "2048". The second number is the minimum bytes for a segment to be considered "small". The default value is "0" (disabled), with a maximum of "2048". ignore_ports is optional, defines the list of ports in which will be ignored for this rule. The number of ports can be up to "65535". A message is written to console/syslog when this limit is enforced. |
||||||||||||||||||||||||||||
| ports <client|server|both> <all|number(s)> | Specify the client, server, or both and list of ports in which to perform reassembly. This can appear more than once in a given config. The default settings are ports client 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 514 1433 1521 2401 3306. The minimum port allowed is "1" and the maximum allowed is "65535". |
||||||||||||||||||||||||||||
| protocol <client|server|both> <all|service name(s)> | Specify the client, server, or both and list of services in which to perform reassembly. This can appear more than once in a given config. The default settings are ports client ftp telnet smtp nameserver dns http pop3 sunrpc dcerpc netbios-ssn imap login shell mssql oracle cvs mysql. The service names can be any of those used in the host attribute table (see 2.7), including any of the internal defaults (see 2.7.3) or others specific to the network. |
||||||||||||||||||||||||||||
| ignore_any_rules | Don't process any -> any (ports) rules for TCP that attempt to match payload if there are no port specific rules for the src or destination port. Rules that have flow or flowbits will never be ignored. This is a performance improvement and may result in missed attacks. Using this does not affect rules that look at protocol headers, only those with content, PCRE, or byte test options. The default is "off". This option can be used only in default policy. |
||||||||||||||||||||||||||||
| flush_factor | Useful in ips mode to flush upon seeing a drop in segment size after N segments of non-decreasing size. The drop in size often indicates an end of request or response. |
|
Note:
If no options are specified for a given TCP policy, that is the default TCP policy. If only a bind_to option is used with no other options that TCP policy uses all of the default values.
|