[Snort-devel] spp_tcp_stream.c

Fyodor fygrave at ...1...
Sat Sep 23 16:18:56 EDT 2000


~ :
~ :The other fix for this might be to send on packets that are not part of an
~ :established TCP stream, e.g. they have a SYN, SYN/FIN, or otherwise don't
~ :look to be data packets.  Packets which are regular session traffic could
~ :then have p->tcph set to NULL.  This should prevent them from traversing

well, yep, in the current source packet will not be processed if p->tcph
is NULL, even if p->iph->ip_proto is IPPROTO_TCP. But we would have to
make sure that we will not miss any data in this case. Having extra-false
positives (or doubled positives in this case) is better than having any
false-negatives.






More information about the Snort-devel mailing list