[Snort-devel] Quick question on Stream4 code.

Chris Green cmg at ...402...
Fri Aug 23 13:30:03 EDT 2002

"Vinay A. Mahadik" <VAMahadik at ...1463...> writes:

> In CreateNewSession(), if we find that the particular packet didn't have
> either a SYN or a SYN+ACk combination (lets say it had just an ACK+PSH),
> then the code sets the server-stream as the destination of the packet,
> and the source is set as the client. I do understand that the absence of
> SYNs could be due to a 'cold start' or dropped packets or an idle
> session that's being caught again. However, I didn't quite get the
> philosophy behind the choice of server and client in there.

Most protocols that IDS cares about currently are client driven.  This
means a client issues a command, the server issues a response, and
then the server sits around waiting for a command again.

We're usually pretty trusting of servers acting like they are supposed
to but clients are the ones that typically do most of the flow

This type of stuff would need more complex logic if we needed to start
saying "well, our clients are requesting a page, then the server's
pausing long enough to get out of the session table, then sending an

> If it was arbitrary, wouldn't a better approach be to call local
> (define homenet for stream4 in snort.conf) hosts as servers and
> remote ones as clients (since that's the usual case).

I would argue that that's only the usual case 50% of the time :)

IF servers make up the majority of your traffic, most of them act as
said above and you trust your servers but don't trust your clients.
The clients are the ones that are driving you to act in specific ways
and are the instigators.

Server responses are always within seconds of client stimulus unless
you have some really heavy CGI or something or less used protocols
that we don't really have rules for.
Chris Green <cmg at ...402...>
Don't use a big word where a diminutive one will suffice.

More information about the Snort-devel mailing list