Overview========The Stream5 preprocessor is a target-based TCP reassembly modulefor Snort.  It is intended to replace both the Stream4 and flow preprocessors, and it is capable of tracking sessions for bothTCP and UDP.  With Stream5, the rule 'flow' and 'flowbits' keywordsare usable with TCP as well as UDP traffic.Since Stream5 replaces Stream4, both cannot be used simultaneously.Remove the Stream4 and flow configurations from snort.conf when theStream5 configuration is added.Transport Protocols-------------------TCP sessions are identified via the classic TCP "connection".  UDPsessions are established as the result of a series of UDP packetsfrom two end points via the same set of ports.  ICMP messages aretracked for the purposes of checking for unreachable and serviceunavailable messages, which effectively terminate a TCP or UDPsession.Target-Based------------Stream5, like Frag3, introduces target-based actions for handlingof overlapping data and other TCP anomalies.  The methods for handlingoverlapping data, TCP Timestamps, Data on SYN, FIN and Reset sequencenumbers, etc. and the policies supported by Stream5 are the results ofextensive research with many target operating systems.Stream API----------Stream5 fully supports the Stream API (partly supported by Stream4),allowing other protocol normalizers/preprocessors to dynamicallyconfigure reassembly behavior as required by the application layerprotocol, identify sessions that may be ignored (large data transfers,etc), and update the identifying information about the session(application protocol, direction, etc) that can later be used by rules.Anomaly Detection-----------------TCP protocol anomalies, such as data on SYN packets, data receivedoutside the TCP window, etc are configured via the detect_anomaliesoption to the TCP configuration.  Some of these anomalies aredetected on a per-target basis.  For example, a few operating systemsallow data in TCP SYN packets, while others do not.Configuration=============Global Configuration--------------------Global settings for the Stream5 preprocessor- Preprocessor name: stream5_global- Options:    track_tcp <yes|no>      - Track sessions for TCP.  The default is "yes".    max_tcp <number>        - Max concurrent sessions for TCP.  The default                              is "256000", maximum is "1052672", minimum is "1".    memcap <bytes>          - Memcap for TCP packet storage.  The default                              is "8388608" (8MB), maximum is "1073741824" (1GB),                              minimum is "32768" (32KB).    track_udp <yes|no>      - Track sessions for UDP.  The default is "yes".    max_udp <number>        - Max concurrent sessions for UDP.  The default                              is "128000", maximum is "1052672", minimum is "1".    track_icmp <yes|no>     - Track sessions for ICMP.  The default is "yes".    max_icmp <number>       - Max concurrent sessions for ICMP.  The default                              is "64000", maximum is "1052672", minimum is "1".    flush_on_alert          - Backwards compatibility.  Flush a TCP stream                              when an alert is generated on that stream.  The                              default is set to off.    show_rebuilt_packets    - Print/display packet after rebuilt (for                              debugging).  The default is set to off.TCP Configuration-----------------Provides a means on a per IP address target to configure a TCP policy.This can have multiple occurances, per policy that is bound to an IPaddress or network.  One default policy must be specified, and that policyis not bound to an IP address or network.- Preprocessor name: stream5_tcp- Options:    bind_to <ip_addr>       - IP address for this policy.  The default is set                              to any.    timeout <number (secs)> - Session timeout.  The default is "30", the                              minimum is "1", and the maximum is "86400"                              (approximately 1 day).    policy <policy_id>      - The Operating System policy for the target OS.                              The policy_id can be one the following:                                   first     - Favor first overlapped segment.                                   last      - Favor last overlapped segment.                                   bsd       - FreeBSD 4.x and newer                                               NetBSD 2.x and newer                                               OpenBSD 3.x and newer                                               AIX                                   linux     - Linux 2.4 and 2.6                                   old-linux - Linux 2.2 and earlier                                   windows   - Windows 98, NT, 2000, XP (and                                               others not specifically listed                                               below)                                   win2003   - Windows 2003 Server                                   vista     - Windows Vista                                   solaris   - Solaris 9.x and newer                                   hpux10    - HPUX 10                                   hpux      - HPUX 11 and newer                                   irix      - IRIX 6 and newer                                   macos     - MacOS 10.3 and newer                              The default is "bsd".    min_ttl <number>        - Minimum Time To Live.  The default is "1", the                              minimum is "1" and the maximum is "255".    overlap_limit <number>  - Limits number of overlapping packets.                               The default is "0" (unlimited), the minimum is                              "0", and the maximum is "255".    max_window <number>     - Maximum allowed TCP window.  The default is "0"                              (unlimited), the minimum is "0", and the maximum                              is "1073725440" (65535 left shift 14).  That is                              the highest possible TCP window per RFCs.  This                              option is intended to prevent a DoS against                              Stream5 by an attacker using an abnormally large                              window, so using a value near the maximum is                              discouraged.    detect_anomalies        - Detect TCP protocol anomalies.  The default is set                              to off.    require_3whs [<alt_timeout (secs)>]                            - Establish sessions only on completion                              of a SYN/SYN-ACK/ACK handshake.  The default is                              set to off.  Alternate timeout is the timeout in                              seconds for the handshake to complete.  The                              default is "0" (unlimited), the minimum is "0",                              and the maximum is "86400" (approximately 1 day).    use_static_footprint_sizes                            - Emulate Stream4 behavior for flushing                              reassembled packets.  The default is set to off.    dont_store_large_packets                            - A performance improvement which does not queue                              large packets in reassembly buffer if set.                              Setting this option could result in missed                              packets.  The default is set to off.    ports <client|server|both> [all|space separated port list]                             - Specify the client, server, or both and list of                              ports in which to perform reassembly.  This can                              appear more than once in a given config.                              For example:                                ports both 80 23                                ports server 37                                ports client 21 25                              The default settings are:                                ports client 21 23 25 42 53 80 110 111 135 136 \                                             137 139 143 445 513 1433 1521 3306                              The minimum port allowed is "1" and the maximum                              allowed is "65535".If no options are specified for a given TCP policy, that is the defaultTCP policy.  If only a bind_to option is used with no other options thatTCP policy uses all of the default values.UDP Configuration-----------------Configuration for UDP session tracking.  Since there is no target basedbinding, there should be only one occurance of the UDP configuration.- Preprocessor name: stream5_udp- Options:    timeout <number (secs)> - Session timeout.  The default is "30", the                              minimum is "1", and the maximum is "86400"                              (approximately 1 day).    ignore_any_rules        - Don't process any -> any (ports) rules for                              UDP that attempt to match payload if there are                              no port specific rules for the src or destination                              port.  Rules that have flow or flowbits will                              never be ignored.  This is a performance                              improvement, but may result in missed attacks.                               Using this does not affect rules that look at                              protocol headers, only those with content, PCRE,                              or byte test options.  The default is "off".NOTE: with the ignore_any_rules option, a UDP rule will be ignored except whenthere is another port specific rule that may be applied to the traffic.  Forexample, if a UDP rule specifies destination port 53, the 'ignored' any -> anyrule will be applied to traffic to/from port 53, but NOT to any othersource or destination port.  A list of rule SIDs affected by this option areprinted at Snort's startup.NOTE: with the ignore_any_rules option, if a UDP rule that uses any -> anyports includes either flow or flowbits, the ignore_any_rules option iseffectively pointless.  Because of the potential impact of disabling a flowbitsrule, the ignore_any_rules option will be disabled in this case.ICMP Configuration------------------NOTE: ICMP is currently untested, in minimal code form and is NOT readyfor use in production networks.  It is not turned on by default.Configuration for ICMP session tracking.  Since there is no target basedbinding, there should be only one occurance of the ICMP configuration.- Preprocessor name: stream5_icmp- Options:    timeout <number (secs)> - Session timeout.  The default is "30", the                              minimum is "1", and the maximum is "86400"                              (approximately 1 day).Example Configurations======================1) This example configuration emulates the behavior of Stream4 (with   UDP support enabled).preprocessor stream5_global: max_tcp 8192, track_tcp yes, \                            track_udp yes, track_icmp nopreprocessor stream5_tcp: policy first, use_static_footprint_sizespreprocessor stream5_udp: ignore_any_rules2) This configuration maps two network segments to different reassembly   policies, one for Windows, one for Linux, with all other traffic falling   to the default policy Solaris.preprocessor stream5_global: track_tcp yespreprocessor stream5_tcp: bind_to 192.168.1.0/24, policy windowspreprocessor stream5_tcp: bind_to 10.1.1.0/24, policy linuxpreprocessor stream5_tcp: policy solarisAlerts======Stream5 uses generator ID 129.  It is capable of alerting on 8 (eight)anomalies, all of which relate to TCP anomalies.  There are noanomaly detection for UDP or ICMP.The list of SIDs is as follows:1) SYN on established session2) Data on SYN packet3) Data sent on stream not accepting data4) TCP Timestamp is outside of PAWS window5) Bad segment, overlap adjusted size less than/equal 06) Window size (after scaling) larger than policy allows7) Limit on number of overlapping TCP packets reached8) Data after Reset packet