[Snort-devel] flow nomenclature

Mike Fisk mfisk at ...86...
Fri Apr 5 05:29:07 EST 2002


On Thu, 4 Apr 2002 Benjamin.Feinstein at ...1192... wrote:

> Hey ya'll,
> 
> I wanted to bring up a problem I'm having with the nomenclature for the new
> "flow" check in the 1.9.x branch. It seems that the assumption is implicit
> in the "to/from client/server" flags that application protocols within the
> TCP streams being reassembled are client-server protocols. The assumption is
> made that the TCP listener is the "server" and the TCP initiator is the
> "client." While this holds for many TCP-based protocols like HTTP, (passive)
> FTP, etc., protocols based on BEEP (e.g., IDXP) make no such assumption.
> Additionally, peer-to-peer protocols (e.g., Gnutella, Kaaza) do not
> necessarily have any concept of "client" or "server". I suggest that the
> following substitutions be done across the 1.9.x branch code and rules:
> 
> ,s/to_server/to_listener/g
> ,s/from_server/from_listener/g
> ,s/to_client/to_initiator/g
> ,s/from_client/from_initiator/g
>
> Does this make sense to people? Am I being too nit-picky on the naming here?

I confess that I had the same reaction to the "client" and "server" terms
as well, but it wasn't an issue I felt like fighting.

-- 
Mike Fisk, Los Alamos National Laboratory
See http://home.lanl.gov/mfisk/ for contact information





More information about the Snort-devel mailing list