stream_reassemble

The stream_reassemble rule option is used to enable or disable TCP stream reassembly on matching traffic.

This rule option takes two required arguments: (1) whether to enable or disable stream reassembly and (2) whether the action applies to client traffic, server traffic, or both client and server traffic. Rule writers can have two optional arguments to choose from: (1) noalert to prevent alerting on matching traffic and (2) fastpath to ingore the rest of the session.

Format:

stream_reassemble:action {enable|disable}, direction {server|client|both} \
                  [, noalert][, fastpath];

Example:

flow:to_client,established;
content:"ABCDEF";
# this will disable stream reassembly on client traffic when 
# "ABCDEF" is seen in server response traffic and will also
# prevent the rule from generating an alert
stream_reassemble:action disable, direction client, noalert;

Snort 3 Rule Writing Guide

stream_reassemble

Format:

Example: