[Snort-users] stream4 - zero bytes records

Elias Athanasopoulos elathan at ...13559...
Fri May 26 05:05:25 EDT 2006


Hello!

I am using stream4 with the configuration below:

preprocessor stream4: disable_evasion_alerts, keepstats machine
preprocessor stream4_reassemble: both, ports:all

However, in the session.log file I have a lot of records *but not all* 
with zero bytes in the Client side, in the Server side or both. 

For example:

[*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
67.70.68.8  port: 63960  pkts: 1  bytes: 0] [Client IP: 147.52.78.17  port: 2213  pkts: 1  bytes: 0]
[*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
147.52.136.3  port: 4662  pkts: 2  bytes: 0] [Client IP: 87.90.0.251  port: 27786  pkts: 2  bytes: 0]
[*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
147.52.3.67  port: 4662  pkts: 2  bytes: 0] [Client IP: 88.35.43.210  port: 4788  pkts: 2  bytes: 0]
[*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
61.123.32.10  port: 13340  pkts: 1  bytes: 0] [Client IP: 147.52.48.227  port: 1634  pkts: 1  bytes: 0]
[*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
66.151.150.12  port: 2703  pkts: 4  bytes: 103] [Client IP: 147.52.67.2  port: 47818  pkts: 2  bytes: 17]
[*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
147.52.110.2  port: 1433  pkts: 4  bytes: 86] [Client IP: 67.110.178.233  port: 43413  pkts: 5  bytes: 168]

A snorter in #snort told me that there are cases that snort logs 0 bytes
(especially in Web traffic). If this is the case, is there a place that I can
find the heuristics used by snort (or stream4) for that decision?

PS. Please, 'cc' me as I am not subscribed.

Regards,
-- 
Elias Athanasopoulos
Distributed Computing Systems (DCS)
Institute of Computer Science (ICS/FORTH)
Heraklion, Crete

A bug can become a feature by documenting it.





More information about the Snort-users mailing list