Snort mailing list archives
Re: stream4 - zero bytes records
From: Joel Esler <joel.esler () sourcefire com>
Date: Fri, 26 May 2006 08:41:04 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sure, I suggest a read of the "Protocol Flow Analyzer" Whitepaper at http://www.snort.org/docs/#devel. It may fill in some blanks for you. (Generally, I suggest everyone take a look at the 4 whitepapers at the above link starting with "Snort 2.0" (yes they are still valid). Please go take a look at these, they will explain alot for you!) Joel Elias Athanasopoulos wrote:
Hello! I am using stream4 with the configuration below: preprocessor stream4: disable_evasion_alerts, keepstats machine preprocessor stream4_reassemble: both, ports:all However, in the session.log file I have a lot of records *but not all* with zero bytes in the Client side, in the Server side or both. For example: [*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP: 67.70.68.8 port: 63960 pkts: 1 bytes: 0] [Client IP: 147.52.78.17 port: 2213 pkts: 1 bytes: 0] [*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP: 147.52.136.3 port: 4662 pkts: 2 bytes: 0] [Client IP: 87.90.0.251 port: 27786 pkts: 2 bytes: 0] [*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP: 147.52.3.67 port: 4662 pkts: 2 bytes: 0] [Client IP: 88.35.43.210 port: 4788 pkts: 2 bytes: 0] [*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP: 61.123.32.10 port: 13340 pkts: 1 bytes: 0] [Client IP: 147.52.48.227 port: 1634 pkts: 1 bytes: 0] [*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP: 66.151.150.12 port: 2703 pkts: 4 bytes: 103] [Client IP: 147.52.67.2 port: 47818 pkts: 2 bytes: 17] [*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP: 147.52.110.2 port: 1433 pkts: 4 bytes: 86] [Client IP: 67.110.178.233 port: 43413 pkts: 5 bytes: 168] A snorter in #snort told me that there are cases that snort logs 0 bytes (especially in Web traffic). If this is the case, is there a place that I can find the heuristics used by snort (or stream4) for that decision? PS. Please, 'cc' me as I am not subscribed. Regards,
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEdvdgKbCSyXHckt4RAlMuAJ9sfP905uSti8OMpjVXs+WqhBVo9ACfdVjk KdaqM6YVtajzI5bjC7h39jY= =pEuN -----END PGP SIGNATURE----- ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stream4 - zero bytes records Elias Athanasopoulos (May 26)
- Re: stream4 - zero bytes records Joel Esler (May 26)
- Re: stream4 - zero bytes records Martin Roesch (May 26)