Snort mailing list archives
Re: Submit new detection engine?
From: stephane nasdrovisky <stephane.nasdrovisky () uniway be>
Date: Fri, 20 Jun 2003 09:38:10 +0200
One thing to consider instead of timing-out invited tcp sessions is to actively check wether this session is still active or not. It can be done by sending an ACK to both parties, if one party replies with a RST, the session is expired. If you time-out tcp sessions, you'll potentially flood your log with plenty of false+. Neal wrote:
- A session times out after a period of inactivity. - An invited session times out after 5 minutes. - An uninvited session where my host replies times out after 5 minutes. "Why 5 minutes?" Many home routers timeout NAT sessions after 5 minutes. If that's too short, let me know. - An uninvited SYN times out after 30 seconds. "Why 30 seconds?" Prevents a SYN-ACK scan from hogging all session slots.
Checkpoint firewall use different timeouts during the handshake phase (60 seconds), the fin handshake (50 seconds) and the remaining of packets exchange (1 hour). It helps reducing the size of the sessions table, especially the reduced syn/syn-ack/ack timeout.
- Currently, it tracks 65536+2 simultanious sessions. (65536 ports + 2 more for good luck) "Why a fixed number?" Speed. Dynamic data structures would really slow down Snort.
Hash tables could lead your engine to dynamic & fast behaviour. Unfortunatly, it could consume a lot of memory if not carefully analysed. Note that it would not add any value to your engine if it targets home lans. Note that I think snort-users is better suited for this kind of message. ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Submit new detection engine? stephane nasdrovisky (Jun 20)