[Snort-devel] Unified Logging (PKT_STREAM_TWH & PKT_FROM_CLIENT)

Christopher Granger chrisgrangerx at ...2499...
Tue Feb 21 09:39:48 EST 2012


Hi Snort  Dev,



Regarding Unified logging & Packet Flags, can you answer this question,
please?



If the Packet Flags bit 0x00000020 is set (referenced below from decode.h)



define PKT_STREAM_TWH                         0x00000020  /* packet
completes the 3-way handshake */

define PKT_FROM_CLIENT                        0x00000080  /* this packet
came from the client


should flag 0x00000080 always also be set?

Based on log sampling I've done, this seems to be the case -- i.e.
while0x00000080 may be set alone, whenever 0x00000020 is set,
0x00000080 is also
set.

Thank you,
-Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120221/dd85f6a9/attachment.html>


More information about the Snort-devel mailing list