Snort mailing list archives
stream4 - zero bytes records
From: "Elias Athanasopoulos" <elathan () ics forth gr>
Date: Thu, 25 May 2006 17:12:41 +0300
Hello! I am using stream4 with the configuration below: preprocessor stream4: disable_evasion_alerts, keepstats machine preprocessor stream4_reassemble: both, ports:all However, in the session.log file I have a lot of records *but not all* with zero bytes in the Client side, in the Server side or both. For example: [*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP: 67.70.68.8 port: 63960 pkts: 1 bytes: 0] [Client IP: 147.52.78.17 port: 2213 pkts: 1 bytes: 0] [*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP: 147.52.136.3 port: 4662 pkts: 2 bytes: 0] [Client IP: 87.90.0.251 port: 27786 pkts: 2 bytes: 0] [*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP: 147.52.3.67 port: 4662 pkts: 2 bytes: 0] [Client IP: 88.35.43.210 port: 4788 pkts: 2 bytes: 0] [*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP: 61.123.32.10 port: 13340 pkts: 1 bytes: 0] [Client IP: 147.52.48.227 port: 1634 pkts: 1 bytes: 0] [*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP: 66.151.150.12 port: 2703 pkts: 4 bytes: 103] [Client IP: 147.52.67.2 port: 47818 pkts: 2 bytes: 17] [*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP: 147.52.110.2 port: 1433 pkts: 4 bytes: 86] [Client IP: 67.110.178.233 port: 43413 pkts: 5 bytes: 168] A snorter in #snort told me that there are cases that snort logs 0 bytes (especially in Web traffic). If this is the case, is there a place that I can find the heuristics used by snort (or stream4) for that decision? PS. Please, 'cc' me as I am not subscribed. Regards, -- Elias Athanasopoulos Distributed Computing Systems (DCS) Institute of Computer Science (ICS/FORTH) Heraklion, Crete A bug can become a feature by documenting it. ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stream4 - zero bytes records Elias Athanasopoulos (May 26)
- Re: stream4 - zero bytes records Joel Esler (May 26)
- Re: stream4 - zero bytes records Martin Roesch (May 26)