Menu
▾
▴
Re: [Snort-inline-users] iptstate for stream4: RELATED mistake?
|
From: Victor J. <vi...@nk...> - 2004-07-24 17:46:17
|
On Saturday 24 July 2004 19:16, Victor Julien wrote: > Victor Julien wrote: > > Hi Will, List, > > > > I was thinking about the aproach and i think i've made a little mistake. > > The patch asumes only NEW connection can start a tcp-connection and > > ESTABLISHED and RELATED don't. However, if i'm not mistaken, RELATED > > connections can also set up connections. This is because RELATED takes > > care of the ftp-data connection for example, which is of-course a normal > > tcp connection. After the setting up of this RELATED connection, it > > becomes ESTABLISHED (i asume, correct me if i'm wrong). So basicly what > > i'm saying is that we should mark NEW,RELATED 0x10 and ESTABLISHED 0x11. > > > > I will try to test this asap. > > Well, my assumption was correct. Stream4 is about tcp connections, and a > RELATED packet is always a packet to set up a new connection. After this > RELATED/syn packet, the connection becomes ESTABLISHED in netfilter. So > basicly, i think we can handle NEW and RELATED exactly in the same way, > or does anyone think that it would be useful to make a distinction > between NEW, ESTABLISHED _and_ RELATED? > > I'll post the updated patch later today. As promised, the updated patch. Have fun. Victor > > Regards, > Victor > > > Regards, > > Victor > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by BEA Weblogic Workshop > > FREE Java Enterprise J2EE developer tools! > > Get your free copy of BEA WebLogic Workshop 8.1 today. > > http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > ------------------------------------------------------- > This SF.Net email is sponsored by BEA Weblogic Workshop > FREE Java Enterprise J2EE developer tools! > Get your free copy of BEA WebLogic Workshop 8.1 today. > http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
