Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: stream4 - zero bytes records

From: Joel Esler <joel.esler () sourcefire com>
Date: Fri, 26 May 2006 08:41:04 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sure, I suggest a read of the "Protocol Flow Analyzer" Whitepaper at
http://www.snort.org/docs/#devel.  It may fill in some blanks for you.

(Generally, I suggest everyone take a look at the 4 whitepapers at the
above link starting with "Snort 2.0"  (yes they are still valid).
Please go take a look at these, they will explain alot for you!)

Joel

Elias Athanasopoulos wrote:

Hello!

I am using stream4 with the configuration below:

preprocessor stream4: disable_evasion_alerts, keepstats machine
preprocessor stream4_reassemble: both, ports:all

However, in the session.log file I have a lot of records *but not all* 
with zero bytes in the Client side, in the Server side or both. 

For example:

[*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
67.70.68.8  port: 63960  pkts: 1  bytes: 0] [Client IP: 147.52.78.17  port: 2213  pkts: 1  bytes: 0]
[*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
147.52.136.3  port: 4662  pkts: 2  bytes: 0] [Client IP: 87.90.0.251  port: 27786  pkts: 2  bytes: 0]
[*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
147.52.3.67  port: 4662  pkts: 2  bytes: 0] [Client IP: 88.35.43.210  port: 4788  pkts: 2  bytes: 0]
[*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
61.123.32.10  port: 13340  pkts: 1  bytes: 0] [Client IP: 147.52.48.227  port: 1634  pkts: 1  bytes: 0]
[*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
66.151.150.12  port: 2703  pkts: 4  bytes: 103] [Client IP: 147.52.67.2  port: 47818  pkts: 2  bytes: 17]
[*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
147.52.110.2  port: 1433  pkts: 4  bytes: 86] [Client IP: 67.110.178.233  port: 43413  pkts: 5  bytes: 168]

A snorter in #snort told me that there are cases that snort logs 0 bytes
(especially in Web traffic). If this is the case, is there a place that I can
find the heuristics used by snort (or stream4) for that decision?

PS. Please, 'cc' me as I am not subscribed.

Regards,

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEdvdgKbCSyXHckt4RAlMuAJ9sfP905uSti8OMpjVXs+WqhBVo9ACfdVjk
KdaqM6YVtajzI5bjC7h39jY=
=pEuN
-----END PGP SIGNATURE-----


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: