[Snort-devel] [snort-devel] sfportscan and SYN scan with data

Virgil Hemery virgil.hemery at ...2499...
Tue Apr 26 13:39:41 EDT 2011


I submit the following patch. It seems to work quite well but probably in a
wrong way. It updates the session flags of ACK packets that belong to a low
session but for which no TCP session has been created.

Looking forward to your reply.

--- snort_stream5_tcp.c.old    2011-04-26 19:31:12.000000000 +0200
+++ snort_stream5_tcp.c    2011-04-26 19:25:34.000000000 +0200
@@ -7496,6 +7496,11 @@
              * we missed).
              */
             /* Do nothing. */
+
+            GetLWPacketDirection(p,lwssn);
+            if(p->packet_flags & PKT_FROM_SERVER)
+                lwssn->session_flags |= SSNFLAG_SEEN_SERVER;
+
             PREPROC_PROFILE_END(s5TcpStatePerfStats);
             return ACTION_NOTHING | retcode;
         }
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110426/1b35c284/attachment.html>


More information about the Snort-devel mailing list