Snort mailing list archives

Previous By Date Next
Previous By Thread Next

conversation and portscan2 timeout parameters

From: Rohan Amin <rohan () rohanamin com>
Date: Thu, 6 Nov 2003 20:27:17 -0800
Hi all,

I am trying to understand how the portscan2 and conversation
preprocessors work together.  In particular, I am trying to understand
the timeout options a little bit better.


From the Syngress book (free Chapter 6 PDF download):


conversation timeout: "Defaulting to 120, this defines the time in
seconds for which the conversation preprocessor maintains information.
After timeout seconds of inactivity, a conversation may be pruned to
save resources"

portscan2 timeout: "Defaulting to 60, this parameter sets a time in
seconds that any scanning data will last.  If this time is exceeded
without any activity from a host, data may be pruned."

For the conversation timeout, does it keep X seconds of information
for each conversation?  Or does it wait for X seconds of 'quiet'
before dumping the conversation to that point?  For example if either
host sends a packet at time=1 and not again until time=X-1, will the
packet from time=1 be kept at time=X+2?  If a conversation continues
on for a very long time, at what point does the preprocessor start
pruning?  Same questions for the portscan2 timeout as well.

And finally, how do these two timeout parameters affect each other?  I
know portscan2 is supposed to be dependent on conversation, so how do
the timeout parameters work together (or not)?

Just trying to understand things a bit better.  Hopefully this isn't
too stupid of a question :) Thanks for any help in advance.

Regards,

Rohan









-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: