Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Stream5 confusion

From: "Lay, James" <james.lay () wincofoods com>
Date: Tue, 28 Dec 2010 16:00:48 -0700
So...I'm doing my upgrade to 2.9.0.3, a perfect time to audit my .conf 
files.  Maybe I'm over thinking, but I think I'm confused on the 
reasons/differences for stream5 ports client/server/both.


in ports <client|server|both> - the directives indicate from which side of the connection you would like to have 
stream5 reassemble the packets.



The default config has things like:

               ports client 21 22 23 ...


This says to reassemble packets from the client side where dst_port is 21, 22, 23. TCP/21, 22, 23 is the server port 
and Snort reassembles the client side in this config directive


               ports both 80 311 443 ...


This then means to reassemble packets from both sides of the connection where the dst_port is 80, 211, 443, etc...


Pretending that we don't have ftp, http, and telnet preprocessors, 
wouldn't one want to put things like 21, 22, and 23 in as both or 
server?  As I understand it, this is how it works, with port 80 as an
example:

               ports server 80, reassemble any local -> remote port 80

               ports client 80, reassemble local port 80 -> any remote 
port

               ports both 80, reassemble local port 80 -> any remote 
port or local port 80 -> any remote port


Hope the above helps...

~elh

[>] It does...thank you Eric.

James

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: