The stream_reassembly Keyword
You can use the
stream_reassemble keyword to enable or disable TCP
stream reassembly for a single connection when inspected traffic on the
connection matches the conditions of the rule. Optionally, you can use this
keyword multiple times in a rule.
Use the following syntax to enable or disable stream reassembly:
enable|disable, server|client|both, option, option
The following table describes the optional arguments you can use
with the
stream_reassemble keyword.
|
Argument |
Description |
|---|---|
|
noalert |
Generate no events regardless of any other detection options specified in the rule. |
|
fastpath |
Ignore the rest of the connection traffic when there is a match. |
For example, the following rule disables TCP client-side stream reassembly without generating an event on the connection where a 200 OK status code is detected in an HTTP response:
alert tcp any 80 -> any any (flow:to_client, established; content: “200 OK”;
stream_reassemble:disable, client, noalert