Snort mailing list archives

Re: A question about flow:established keyword

From: twig les <twigles () yahoo com>
Date: Wed, 26 Mar 2003 14:37:29 -0800 (PST)

An interesting dilema, and one I believe can be solved with
timers.  Does anyone know of a website that has a list of
default session timers for different stacks?  It seems kind of
obscure but handy since all we'd have to do is increase the
Snort timeout to one second more than the longest one.

--- Shadi Rostami <shadi () inkra com> wrote:

Hello,
I believe when we set the value of flow to "established",
Snort only looks for that attack after the connection is
established (i.e.3-way tcp handshaking is done).

Also, I assume that there should be a time-out for TCP
sessions (i.e. after the session is idle for a period of time,
it would be considered as dead and the memory assigned to it
including the session data and status will be de-allocated).

What happens when 
      1. A tcp connection is established; 3-way handshaking is
done, but it remains idle for a long time. 
      2. During that time, the session times out and the session
data would be de-allocated. 
      3. client sends packets belonging to that session.  The
server might still have that session data, so it accepts it as
the old session, and communicate with client fine.
      4. Snort sees this new packet as a new session (although it
is an old session), and won't see any 3-way handshaking and
will not look for the attacks.

Are we going to loose some attacks in the above situation?

Thanks
--Shadi


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

A question about flow:established keyword Shadi Rostami (Mar 26)
- Re: A question about flow:established keyword twig les (Mar 26)
- Re: A question about flow:established keyword Erick Mechler (Mar 26)
- <Possible follow-ups>
- RE: A question about flow:established keyword Shadi Rostami (Mar 26)
  - Re: A question about flow:established keyword Erick Mechler (Mar 26)
- RE: A question about flow:established keyword Shadi Rostami (Mar 26)