UDP Stream Preprocessing
Note | This section applies to Snort 2 preprocessors. For information on Snort 3 inspectors, see https://www.cisco.com/go/snort3-inspectors. |
UDP stream preprocessing occurs when the rules engine processes
packets against a UDP rule that includes the
flow keyword using
any of the following arguments:
-
Established -
To Client -
From Client -
To Server -
From Server
UDP data streams are not typically thought of in terms of sessions. UDP is a connectionless protocol that does not provide a means for two endpoints to establish a communication channel, exchange data, and close the channel. However, the stream preprocessor uses the source and destination IP address fields in the encapsulating IP datagram header and the port fields in the UDP header to determine the direction of flow and identify a session. A session ends when a configurable timer is exceeded, or when either endpoint receives an ICMP message that the other endpoint is unreachable or the requested service is unavailable.
Note that the system does not generate events related to UDP stream preprocessing; however, you can enable related packet decoder rules to detect UDP protocol header anomalies.