Stream preprocessor small segment port suppression

[Andrea Venturoli <ml () netfence it>]

Hello.

I've got another question about Stream preprocessor...

small_segments features an "ignore_ports" options; so, for example, I 
could put the following in my config:

small_segments 5 bytes 100 ignore_ports 23

The idea is that the telnet protocol will often use small packets, so 
I'll just have snort live with it and don't overwhelm me with such alerts.

However, I found out that only the destination port will be taken into 
account, so packets traveling from client to server will get ignored, 
but packets flying from server to client (random port here!) will still 
trigger the alert.

Of course "telnet" is just an example, I'm also seeing this with SSH, 
NFS, VPNs, etc...



I'm wondering why only the destination port is taken into account, since 
I can't see the rationale behind this choice.
Or maybe I'm doing something wrong, missing some other option, 
forgetting some other thing?


  bye & Thanks
        av.

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!