Hello one and all. Just to inform you that there is now TCP stream reassembly support in the CVS tree. Just add reassemble=yes on to your tcpstream configuration and you are ready to test it. There are still limitations, it only reassembles in-order segments (out-of-order segment queuing is coming later), it also sucks up memory. The reassembly technique is quite smart, it uses the application layer decoders to determine whether or not to start reassembling traffic. What this means is that there is effectively zero performance degradation until someone tries to evade the sensor using TCP evasion techniques. As an example if a packet comes along with "GET /AAAAAAAAAAAAAAAAAAA HT", reassembly will be enabled until it sees the next packet which contains "TP/1.0\r\n\r\n". The two packets are then sewn together and matched to the rules and reassembly is again disabled for that connection. Right now there is only an HTTP decoder (which I have much improved). In the future there will be many application layer protocols supported. PS. I also have some really neat code for HTTP URL normalization which can normalize hex-encoding, double-hex encoding, UTF-8, MS-UTF-16, double slashes, windows slashes, case sensitivity, self reference directories (/./), parent directories (/../) and is even configurable based on web-server type (which will eventually be auto-detected). This code should be in CVS within a few weeks. Enjoy! :) -- // Gianni Tedesco (gianni at scaramanga dot co dot uk) lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
Attachment:
signature.asc
Description: This is a digitally signed message part