Snort mailing list archives
Re: Taking out the traffic on ports 22 and 443 suggestive?
From: Brian <bmc () snort org>
Date: Thu, 24 Apr 2003 12:20:22 -0400
On Wed, Apr 23, 2003 at 04:28:34PM +0200, Edin Dizdarevic wrote:
I was wondering if it would make sense to relief Snort by taking out the ports 22 and 443 using the BPF filters. HTTP(S) packets are usually quite big and looking inside of them is quite senseless for obvious reasons. With SSH stream4 is additionally burdened since those packets are usually quite small and are filling up it's memory waiting to be reassembled. Senseless too, IMHO... Of course scans won't be seen, but is that really important since a simple connect scan will find those ports open?
Well, you will miss attacks before the encryption is setup. (Which there have been a few) If you are really concerned, you can [ab]use httpflow to ignore sessions after a specific number of bytes. In the following example, snort will start ignoring packets in sessions after 1000 bytes on port 22 and 443. preprocessor httpflow: depth 1000 ports 22 443 -brian ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Taking out the traffic on ports 22 and 443 suggestive? Edin Dizdarevic (Apr 23)
- Re: Taking out the traffic on ports 22 and 443 suggestive? Erek Adams (Apr 23)
- Re: Taking out the traffic on ports 22 and 443 suggestive? Alberto Gonzalez (Apr 23)
- Re: Taking out the traffic on ports 22 and 443 suggestive? Edin Dizdarevic (Apr 23)
- Re: Taking out the traffic on ports 22 and 443 suggestive? Brian (Apr 24)
- Re: Taking out the traffic on ports 22 and 443 suggestive? Brian (Apr 24)