[Snort-users] stream4 - zero bytes records

Joel Esler joel.esler at ...1935...
Fri May 26 05:42:03 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sure, I suggest a read of the "Protocol Flow Analyzer" Whitepaper at
http://www.snort.org/docs/#devel.  It may fill in some blanks for you.

(Generally, I suggest everyone take a look at the 4 whitepapers at the
above link starting with "Snort 2.0"  (yes they are still valid).
Please go take a look at these, they will explain alot for you!)

Joel

Elias Athanasopoulos wrote:
> Hello!
> 
> I am using stream4 with the configuration below:
> 
> preprocessor stream4: disable_evasion_alerts, keepstats machine
> preprocessor stream4_reassemble: both, ports:all
> 
> However, in the session.log file I have a lot of records *but not all* 
> with zero bytes in the Client side, in the Server side or both. 
> 
> For example:
> 
> [*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
> 67.70.68.8  port: 63960  pkts: 1  bytes: 0] [Client IP: 147.52.78.17  port: 2213  pkts: 1  bytes: 0]
> [*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
> 147.52.136.3  port: 4662  pkts: 2  bytes: 0] [Client IP: 87.90.0.251  port: 27786  pkts: 2  bytes: 0]
> [*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
> 147.52.3.67  port: 4662  pkts: 2  bytes: 0] [Client IP: 88.35.43.210  port: 4788  pkts: 2  bytes: 0]
> [*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
> 61.123.32.10  port: 13340  pkts: 1  bytes: 0] [Client IP: 147.52.48.227  port: 1634  pkts: 1  bytes: 0]
> [*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
> 66.151.150.12  port: 2703  pkts: 4  bytes: 103] [Client IP: 147.52.67.2  port: 47818  pkts: 2  bytes: 17]
> [*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
> 147.52.110.2  port: 1433  pkts: 4  bytes: 86] [Client IP: 67.110.178.233  port: 43413  pkts: 5  bytes: 168]
> 
> A snorter in #snort told me that there are cases that snort logs 0 bytes
> (especially in Web traffic). If this is the case, is there a place that I can
> find the heuristics used by snort (or stream4) for that decision?
> 
> PS. Please, 'cc' me as I am not subscribed.
> 
> Regards,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEdvdgKbCSyXHckt4RAlMuAJ9sfP905uSti8OMpjVXs+WqhBVo9ACfdVjk
KdaqM6YVtajzI5bjC7h39jY=
=pEuN
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list