Rule Options

109

These options may be confusing the first time you look at them. Just keep in mind

that options starting with  to  are used for responses and options starting with  from 

are used for requests.

Other options are also available which are used to apply the rule to different states

of a TCP connection. 

  The stateless option is used to apply the rule without considering the state of a

TCP session.

  The  established option is used to apply the rule to established TCP sessions

only.

  The no_stream option enables rules to be applied to packets that are not built

from a stream.

  The stream_only option is used to apply the rules to only those packets that are

built from a stream.

TCP streams are handled by the stream4 preprocessor discussed in the next chap 

ter. TCP streams are also discussed in RFC 793. A TCP session is established and fin 

ished with a defined sequence of TCP packet exchanges as defined in RFC 793. The

stateless and established options are related to TCP session state.

3.6.29 The session Keyword

The session keyword can be used to dump all data from a TCP session. It can

dump all session data or just printable characters. The following rule dumps all print 

able data from POP3 sessions:

log tcp any any  > 192.168.1.0/24 110 (session: printable;)

If you use  all  as argument to this keyword, everything will be dumped.  Use the

logto keyword to log the traffic to a particular file.

A TCP session is a sequence of data packets exchanged between two hosts. The

session is usually initiated and closed by the client using the three way handshake

method discussed in RFC 793. For example, when your e mail client software starts

collecting e mail from a POP3 server, it first starts the communication by exchanging

TCP packets. The mail is then downloaded. After downloading the e mail, the client

closes the connection. All communication taking place during this process is a TCP

session.