136

Chapter 4     Plugins, Preprocessors and Output Modules

which is a self organizing data structure. For configuration, use and administration of

Snort, you need not understand this algorithm.

With frag2, you can configure timeout and memory limits for packet defragmenta 

tion. By default, the preprocessor uses 4 MB of memory and a 60 second timeout

period. If a packet assembly is not successful within this time period, previously col 

lected fragments are discarded. The following command enables the preprocessor with

default values.

preprocessor frag2

The following command configures the preprocessor with 2MB memory and a

timeout period of 30 seconds.

preprocessor frag2: 2097152, 30

On high speed networks, you should use large amounts of memory since a large

number of data packets may be fragmented. RFC 791 describes the fragmentation and

reassembly process in detail. The link to this RFC is found at the end of the chapter.

4.1.4

The stream4 Module

Stream4 is a replacement for the Stream module used in older versions of Snort. It

provides two basic functions:

1. TCP stream reassembly

2. Stateful inspection

You must configure two preprocessors in the snort.conf file for Stream4 to

work properly. These modules are  stream4  and  stream4_reassemble.  Both

of these take a number of arguments. If you don't specify an argument, a default value

is used instead. The general format of stream4 preprocessor is as follows:

preprocessor stream4: [noinspect], [keepstats], \

  [timeout ], [memcap ], [detect_scan], \

  [detect_state]

Here is a brief explanation of the arguments to the preprocessor and their default

values:

noinspect

Turns off stateful inspection (default: ACTIVE)

keepstats

Records session summary in session.log file

(default: INACTIVE)

timeout

Timeout for keeping a stream in active state (default: 30

seconds)