Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Submit new detection engine?

From: stephane nasdrovisky <stephane.nasdrovisky () uniway be>
Date: Fri, 20 Jun 2003 09:38:10 +0200

One thing to consider instead of timing-out invited tcp sessions is to actively
check wether this session is still active or not. It can be done by sending an
ACK to both parties, if one party replies with a RST, the session is expired.
If you time-out tcp sessions, you'll potentially flood your log with plenty of
false+.

Neal wrote:


  - A session times out after a period of inactivity.
    - An invited session times out after 5 minutes.
    - An uninvited session where my host replies times out after 5 minutes.
    "Why 5 minutes?"  Many home routers timeout NAT sessions after 5
    minutes.  If that's too short, let me know.
    - An uninvited SYN times out after 30 seconds.
    "Why 30 seconds?"  Prevents a SYN-ACK scan from hogging all session
    slots.


Checkpoint firewall use different timeouts during the handshake phase (60
seconds), the fin handshake (50 seconds) and the remaining of packets exchange
(1 hour). It helps reducing the size of the sessions table, especially the
reduced syn/syn-ack/ack timeout.


  - Currently, it tracks 65536+2 simultanious sessions.
    (65536 ports + 2 more for good luck)
    "Why a fixed number?"  Speed.  Dynamic data structures would really
    slow down Snort.


Hash tables could lead your engine to dynamic & fast behaviour. Unfortunatly,
it could consume a lot of memory if not carefully analysed. Note that it would
not add any value to your engine if it targets home lans.

Note that I think snort-users is better suited for this kind of message.




-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: