Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Taking out the traffic on ports 22 and 443 suggestive?

From: Brian <bmc () snort org>
Date: Thu, 24 Apr 2003 12:20:22 -0400
On Wed, Apr 23, 2003 at 04:28:34PM +0200, Edin Dizdarevic wrote:

I was wondering if it would make sense to relief Snort by taking
out the ports 22 and 443 using the BPF filters. HTTP(S) packets are
usually quite big and looking inside of them is quite senseless for
obvious reasons. With SSH stream4 is additionally burdened since those
packets are usually quite small and are filling up it's memory waiting
to be reassembled. Senseless too, IMHO...

Of course scans won't be seen, but is that really important since
a simple connect scan will find those ports open?


Well, you will miss attacks before the encryption is setup.  (Which
there have been a few)

If you are really concerned, you can [ab]use httpflow to ignore
sessions after a specific number of bytes.  In the following example, 
snort will start ignoring packets in sessions after 1000 bytes on port
22 and 443.

   preprocessor httpflow: depth 1000 ports 22 443

-brian


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: