[Snort-devel] Re: Quick question on Stream4 code.

Vinay A. Mahadik VAMahadik at ...1463...
Fri Aug 23 13:51:04 EDT 2002


Chris Green wrote:
> 
> Server responses are always within seconds of client stimulus unless
> you have some really heavy CGI or something or less used protocols
> that we don't really have rules for.

Here's my confusion - isn't it possible that at around 4% (say) packet
dropping, we see the first non-SYN packet of a session as coming from
the server and not from the client? So one situation would be, we miss
the client's SYN, the server's SYN-ACK, then the client's ACK and any
possible request from client. And we don't miss the first response 'ACK'
from the server - as a matter of chance for a particular session. 

I am not sure if Stream4's detection capability is affected by this
choice, but I was obsessing over another problem which involved knowing
the 'direction' of a session based on just a 'partial' view of a
session. 

--
Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618




More information about the Snort-devel mailing list