[Snort-devel] flow nomenclature

Benjamin.Feinstein at ...1192... Benjamin.Feinstein at ...1192...
Thu Apr 4 14:30:49 EST 2002


Hey ya'll,

I wanted to bring up a problem I'm having with the nomenclature for the new
"flow" check in the 1.9.x branch. It seems that the assumption is implicit
in the "to/from client/server" flags that application protocols within the
TCP streams being reassembled are client-server protocols. The assumption is
made that the TCP listener is the "server" and the TCP initiator is the
"client." While this holds for many TCP-based protocols like HTTP, (passive)
FTP, etc., protocols based on BEEP (e.g., IDXP) make no such assumption.
Additionally, peer-to-peer protocols (e.g., Gnutella, Kaaza) do not
necessarily have any concept of "client" or "server". I suggest that the
following substitutions be done across the 1.9.x branch code and rules:

,s/to_server/to_listener/g
,s/from_server/from_listener/g
,s/to_client/to_initiator/g
,s/from_client/from_initiator/g

Does this make sense to people? Am I being too nit-picky on the naming here?

Cheers,
Ben

> Ben Feinstein
>   Software Development Engineer, R & D
>   W: 678.585.7865 x6726 F: 770.645.8311 M: 678.772.4126
>   8302 Dunwoody Pl., Suite 320, Atlanta, GA 30350 www.guardent.com
> _____________________________________________________
> G U A R D E N T
>   Enterprise Security and Privacy Programs
> 




More information about the Snort-devel mailing list