Re: Stream4

[Martin Roesch <roesch () sourcefire com>]

On 1/28/02 5:43 PM, "Matt Jonkman" <matt () jonkmans com> wrote:

> Where can I find more detailed documentation on stream4?
>
> Specifically, I'm wondering if the setect_scans functionality replaces the
> abilities of the portscan preprocessor.

Not yet.  Right now it detects stealth scans and nmap fingerprint scanning,
but we don't have the code in to statefully pick up SYN scans.

IMHO, I think we should move to post-process detection of SYN/UDP scans by
utilizing the keep_stats function that stream4 supports, there's no burning
need for real-time detection of SYN scans in the general case (but that's
just me talking...)

> We'd prefer to use the stream4 plugin as it formats database entries
> correctly with source and dest IP making things much easier to research.
>
> I can make stream4 alert on a very overt xmas scan, but nothing for a syn or
> tcp scan. Are there parameters to set to make it more sensitive?

Nope.  We've toyed with the idea of doing things like looking for short
sessions (SYN-SYNACK-RST, full connect with RST) and detecting just them,
we've also toyed with the idea of doing straight rate detection for SYN
packets.  Both methods have their ups and downs from a performance and
memory management perspective, which is why I've held off on implementing
them.

If you want to take a stab at implementing it, I'll take a look at what you
come up with.


     -Marty

-- 
Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users