[Snort-devel] [ snort-Bugs-506518 ] Snort session logging logs session frags

noreply at ...12... noreply at ...12...
Tue Jan 22 12:54:02 EST 2002


Bugs item #506518, was opened at 2002-01-21 08:35
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=506518&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: Snort session logging logs session frags

Initial Comment:
The stream4 session logging in snort 1.8.3 logs
'session fragments' and does not flag them as missing a
valid TCP handshake. Some examples of which (cleaned):

[*] Session stats:
   Start Time: 01/14/02-10:57:24   End Time:
01/14/02-10:57:24
   Server IP: client-IP  port: 55610  pkts: 0  bytes: 0
   Client IP: remote-IP  port: 80  pkts: 1  bytes: 0
[*] Session stats:
   Start Time: 01/14/02-10:57:24   End Time:
01/14/02-10:57:24
   Server IP: client-IP  port: 55608  pkts: 0  bytes: 0
   Client IP: remote-IP-2  port: 80  pkts: 1  bytes: 0
[*] Session stats:
   Start Time: 01/14/02-10:57:28   End Time:
01/14/02-10:57:28
   Server IP: client-IP  port: 55623  pkts: 0  bytes: 0
   Client IP: remote-IP-3  port: 80  pkts: 1  bytes: 0
[*] Session stats:
   Start Time: 01/18/02-10:29:52   End Time:
01/18/02-10:29:53
   Server IP: remote_SMTP_client-IP  port: 28422  pkts:
1  bytes: 0
   Client IP: our_mail_server-IP  port: 25  pkts: 1 
bytes: 43

I, from these logs, can not discern a connection
attempt to port 28422 on a remote_client_ip from our
mail server, from a session fragment.

The session log should include the TCP states which the
session logger has seen. For example, for each side of
the connection: SYN_SENT, ACK_SENT, DATA_SENT, FIN
SENT, and RST SENT. This would allow me to discern
fragments from connection attempts and timeouts from
gracefully closed connections.

This shouldn't be too hard to make happen, since it
looks like stream4 tracks most of these states anyway.

Thanks :)
Mathew Johnston

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=506518&group_id=3357




More information about the Snort-devel mailing list