[Snort-users] Questions on stream inspection

Kamran Shafi kamran.shafi at ...11827...
Mon Mar 17 16:33:51 EDT 2008

Hello Guys,

Sorry but I have more questions to ask as part of my learning curve :-)

- When is a TCP session considered established? Snort manual says for the
require_3whs option - Establish sessions only on completion of a
SYN/SYN-ACK/ACK handshake. The default is off.
- What about UDP and ICMP sessions?
- Does Snort inspect each packet belonging to a stream individually or in
the context of the stream? More specifically, do the keywords such as depth
and offset look for patterns in each packet independently or relative to the
start of a session?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080318/0d2c6c8a/attachment.html>

More information about the Snort-users mailing list