Snort mailing list archives
Re: Emergency Ports
From: Matthew Watchinski <mwatchinski () sourcefire com>
Date: Thu, 12 Jan 2006 12:09:32 -0500
If "state_protection" is enabled then emergency ports is the list of ports to do reassembly on, when in self preservation conditions. These are the ports we view as "necessary" for catching exploits during bad traffic conditions.
/* initialize the self preservation counters */
s4data.sp_threshold = SELF_PRES_THRESHOLD;
s4data.sp_period = SELF_PRES_PERIOD;
s4data.suspend_threshold = SUSPEND_THRESHOLD;
s4data.suspend_period = SUSPEND_PERIOD;
s4data.state_protection = 0;
[..snip..]
else if(!strcasecmp(stoks[0], "state_protection"))
{
s4data.state_protection = 1;
}
[..snip..]
/*
* keep track of how many sessions per second we're creating
* vs. the number of data packets per second we get on
* those sessions
*/
if(s4data.state_protection)
++s4_emergency.new_session_count;
[..snip..]
else if(s4_emergency.new_session_count >= s4data.sp_threshold)
{
s4_emergency.status = OPS_SELF_PRESERVATION;
[..]
Cheers,
Matthew Watchinski
Director, Vulnerability Research
Sourcefire, Inc.
Martin Olsson wrote:
What is "Emergency Ports" found in stream4_reassemble and when/how are
they used?
The "emergency ports" seem to be the default portlist, containing
other ports than the ones I have specified with the "reassemble ports"
directive...
Example:
Stream4_reassemble config:
Server reassembly: ACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Flush stream on alert: INACTIVE
flush_data_diff_size: 500
Reassembler Packet Preferance : Favor Old
Packet Sequence Overlap Limit: -1
Flush behavior: random
Flush base: 512
Flush seed: 1137077499
Flush range: 1213
Ports: 20 21 23 25 53 80 110 111 143 513 1433 1521 3306 5432 6666 6667 8080
Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
/Martin
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Emergency Ports Martin Olsson (Jan 12)
- Re: Emergency Ports Matthew Watchinski (Jan 12)