[Snort-devel] Unified Logging (PKT_STREAM_TWH & PKT_FROM_CLIENT)

Chris Granger chrisgrangerx at ...2499...
Tue Feb 21 11:43:27 EST 2012


Thanks for the feedback - I'm attempting to identify code which makes client ip assignations - it seems that packets flagged as completing TWHs would also necessarily be identified as from clients?

Sent from my iPhone

On Feb 21, 2012, at 10:44 AM, Steven Sturges <ssturges at ...402...> wrote:

> Thats how TCP usually works, though not always (ie, server splitting
> its SYN & ACK packets).  Typically the 3rd packet of the 3-way
> handshake is from the client.
> 
> SYN -->
> <-- SYN/ACK
> ACK -->
> 
> On 2/21/12 9:39 AM, Christopher Granger wrote:
>> Hi Snort  Dev,
>> 
>> Regarding Unified logging & Packet Flags, can you answer this question,
>> please?
>> 
>> If the Packet Flags bit 0x00000020 is set (referenced below from decode.h)
>> 
>> define PKT_STREAM_TWH                         0x00000020  /* packet
>> completes the 3-way handshake */
>> 
>> define PKT_FROM_CLIENT                        0x00000080  /* this packet
>> came from the client
>> 
>> should flag 0x00000080 always also be set?
>> Based on log sampling I've done, this seems to be the case -- i.e.
>> while0x00000080 may be set alone, whenever 0x00000020 is set, 0x00000080
>> is also set.
>> Thank you,
>> -Chris
>> 
>> 
>> ------------------------------------------------------------------------------
>> Keep Your Developer Skills Current with LearnDevNow!
>> The most comprehensive online learning library for Microsoft developers
>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> Metro Style Apps, more. Free future releases when you subscribe now!
>> http://p.sf.net/sfu/learndevnow-d2d
>> 
>> 
>> 
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> 
>> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-devel mailing list