[Snort-devel] new plugin for rules based on stream offset

Chris Green cmg at ...402...
Sun Aug 4 11:40:02 EDT 2002

Andreas Östling <andreaso at ...387...> writes:

> Both are claimed to be from server.
> If I got this right, I don't think it's correct that stream_pkt
> should inherit the FROM_CLIENT/SERVER flags directly from p.
> Just when the stream is rebuilt, I guess p here is the very last packet
> in the stream, which in the example above is the server ACK'ing the
> client's FIN. Since this packet is from the server, the rebuilt stream(s)
> is (incorrectly) marked to be from server as well. When the client ends
> the session, both streams are instead marked to be from client (since the
> last packet will be the client ACK'ing the server's FIN).

You are right....  Thank goodness for your extra set of eyeballs.
Going to do this then do a beta release.

Chris who spent part of the day dealing with docs
Chris Green <cmg at ...402...>
You now have 14 minutes to reach minimum safe distance.

More information about the Snort-devel mailing list