[Snort-devel] Quick question on Stream4 code.

Vinay A. Mahadik VAMahadik at ...1463...
Fri Aug 23 10:44:06 EDT 2002


In CreateNewSession(), if we find that the particular packet didn't have
either a SYN or a SYN+ACk combination (lets say it had just an ACK+PSH),
then the code sets the server-stream as the destination of the packet,
and the source is set as the client. I do understand that the absence of
SYNs could be due to a 'cold start' or dropped packets or an idle
session that's being caught again. However, I didn't quite get the
philosophy behind the choice of server and client in there. If it was
arbitrary, wouldn't a better approach be to call local (define homenet
for stream4 in snort.conf) hosts as servers and remote ones as clients
(since that's the usual case).

Please do let me know..

Thanks,
Vinay.

--
Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618




More information about the Snort-devel mailing list