Snort mailing list archives
conversation and portscan2 timeout parameters
From: Rohan Amin <rohan () rohanamin com>
Date: Thu, 6 Nov 2003 20:27:17 -0800
Hi all, I am trying to understand how the portscan2 and conversation preprocessors work together. In particular, I am trying to understand the timeout options a little bit better.
From the Syngress book (free Chapter 6 PDF download):
conversation timeout: "Defaulting to 120, this defines the time in seconds for which the conversation preprocessor maintains information. After timeout seconds of inactivity, a conversation may be pruned to save resources" portscan2 timeout: "Defaulting to 60, this parameter sets a time in seconds that any scanning data will last. If this time is exceeded without any activity from a host, data may be pruned." For the conversation timeout, does it keep X seconds of information for each conversation? Or does it wait for X seconds of 'quiet' before dumping the conversation to that point? For example if either host sends a packet at time=1 and not again until time=X-1, will the packet from time=1 be kept at time=X+2? If a conversation continues on for a very long time, at what point does the preprocessor start pruning? Same questions for the portscan2 timeout as well. And finally, how do these two timeout parameters affect each other? I know portscan2 is supposed to be dependent on conversation, so how do the timeout parameters work together (or not)? Just trying to understand things a bit better. Hopefully this isn't too stupid of a question :) Thanks for any help in advance. Regards, Rohan ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- conversation and portscan2 timeout parameters Rohan Amin (Nov 06)