[Snort-devel] flow nomenclature

Mathew Johnston mjohnston at ...1001...
Fri Apr 5 05:57:05 EST 2002


A TCP session does not necessarily have one initiator. For example, in
the 'call collision' case, both sides can attempt to initiate a
connection at the same time, between the same two sockets. If hostA
attempts to connect to port 1026 on hostB, from port 1025, at the exact
same time that hostB tries to connect to host A on port 1025, from port
1026, a connection will be established. In this case, I do not believe
that either side starts in a 'listen' state in this case. Not that this
ever really happens in the real world, but it could.

I couldn't find a lot online about this, but it's described in 'Computer
Networks 3rd edition' by Andrew Tanenbaum on page 529.

Mat.


On Thu, 2002-04-04 at 17:23, Benjamin.Feinstein at ...1192... wrote:
> Hey ya'll,
> 
> I wanted to bring up a problem I'm having with the nomenclature for the new
> "flow" check in the 1.9.x branch. It seems that the assumption is implicit
> in the "to/from client/server" flags that application protocols within the
> TCP streams being reassembled are client-server protocols. The assumption is
> made that the TCP listener is the "server" and the TCP initiator is the
> "client." While this holds for many TCP-based protocols like HTTP, (passive)
> FTP, etc., protocols based on BEEP (e.g., IDXP) make no such assumption.
> Additionally, peer-to-peer protocols (e.g., Gnutella, Kaaza) do not
> necessarily have any concept of "client" or "server". I suggest that the
> following substitutions be done across the 1.9.x branch code and rules:
> 
> ,s/to_server/to_listener/g
> ,s/from_server/from_listener/g
> ,s/to_client/to_initiator/g
> ,s/from_client/from_initiator/g
> 
> Does this make sense to people? Am I being too nit-picky on the naming here?
> 
> Cheers,
> Ben
> 
> > Ben Feinstein
> >   Software Development Engineer, R & D
> >   W: 678.585.7865 x6726 F: 770.645.8311 M: 678.772.4126
> >   8302 Dunwoody Pl., Suite 320, Atlanta, GA 30350 www.guardent.com
> > _____________________________________________________
> > G U A R D E N T
> >   Enterprise Security and Privacy Programs
> > 
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel







More information about the Snort-devel mailing list