[Snort-devel] flow nomenclature

Benjamin.Feinstein at ...1192... Benjamin.Feinstein at ...1192...
Sat Apr 6 14:05:07 EST 2002

Hey ya'll,

Thanks for all the responses so far.  I guess the question I was really
trying to ask was, how is the flow match really implemented?  Section 2.3.36
of the Snort Users Manual
<http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.36> still
leaves some questions in my mind.  I know I could go digging in the source
to figure it out myself, but I first wanted to bounce this off all ya'll
excellent Snort developers out there :)  Marty et. al., we all truly
appreciate what you've created!

Regarding the description of "flow" in Section 2.3.36, is "A" defined to be
the host on the left-hand side of the '->' in the rule and "B" on the RHS?
How does flow differentiate a "server response" from a "client request"? Or
does flow use stateful connection tracking from the stream reassembler to
assign the role of "client" to the TCP initiator and "server" to the TCP
listener? Thanks for any explaination...


> Ben Feinstein
>   Software Development Engineer, R & D
>   W: 678.585.7865 x6726 F: 770.645.8311 M: 678.772.4126
>   8302 Dunwoody Pl., Suite 320, Atlanta, GA 30350 www.guardent.com
> _____________________________________________________
> G U A R D E N T
>   Enterprise Security and Privacy Programs

More information about the Snort-devel mailing list