Snort mailing list archives

stream4 - zero bytes records

From: "Elias Athanasopoulos" <elathan () ics forth gr>
Date: Thu, 25 May 2006 17:12:41 +0300

Hello!

I am using stream4 with the configuration below:

preprocessor stream4: disable_evasion_alerts, keepstats machine
preprocessor stream4_reassemble: both, ports:all

However, in the session.log file I have a lot of records *but not all* 
with zero bytes in the Client side, in the Server side or both. 

For example:

[*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
67.70.68.8  port: 63960  pkts: 1  bytes: 0] [Client IP: 147.52.78.17  port: 2213  pkts: 1  bytes: 0]
[*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
147.52.136.3  port: 4662  pkts: 2  bytes: 0] [Client IP: 87.90.0.251  port: 27786  pkts: 2  bytes: 0]
[*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
147.52.3.67  port: 4662  pkts: 2  bytes: 0] [Client IP: 88.35.43.210  port: 4788  pkts: 2  bytes: 0]
[*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
61.123.32.10  port: 13340  pkts: 1  bytes: 0] [Client IP: 147.52.48.227  port: 1634  pkts: 1  bytes: 0]
[*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
66.151.150.12  port: 2703  pkts: 4  bytes: 103] [Client IP: 147.52.67.2  port: 47818  pkts: 2  bytes: 17]
[*] Session => Start: 05/25/06-17:23:15 End Time: 05/25/06-17:23:15[Server IP:
147.52.110.2  port: 1433  pkts: 4  bytes: 86] [Client IP: 67.110.178.233  port: 43413  pkts: 5  bytes: 168]

A snorter in #snort told me that there are cases that snort logs 0 bytes
(especially in Web traffic). If this is the case, is there a place that I can
find the heuristics used by snort (or stream4) for that decision?

PS. Please, 'cc' me as I am not subscribed.

Regards,
-- 
Elias Athanasopoulos
Distributed Computing Systems (DCS)
Institute of Computer Science (ICS/FORTH)
Heraklion, Crete

A bug can become a feature by documenting it.



-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

stream4 - zero bytes records Elias Athanasopoulos (May 26)
- Re: stream4 - zero bytes records Joel Esler (May 26)
- Re: stream4 - zero bytes records Martin Roesch (May 26)