Snort mailing list archives
Re: Emergency Ports
From: Matthew Watchinski <mwatchinski () sourcefire com>
Date: Thu, 12 Jan 2006 12:09:32 -0500
If "state_protection" is enabled then emergency ports is the list of ports to do reassembly on, when in self preservation conditions. These are the ports we view as "necessary" for catching exploits during bad traffic conditions.
/* initialize the self preservation counters */ s4data.sp_threshold = SELF_PRES_THRESHOLD; s4data.sp_period = SELF_PRES_PERIOD; s4data.suspend_threshold = SUSPEND_THRESHOLD; s4data.suspend_period = SUSPEND_PERIOD; s4data.state_protection = 0; [..snip..] else if(!strcasecmp(stoks[0], "state_protection")) { s4data.state_protection = 1; } [..snip..] /* * keep track of how many sessions per second we're creating * vs. the number of data packets per second we get on * those sessions */ if(s4data.state_protection) ++s4_emergency.new_session_count; [..snip..] else if(s4_emergency.new_session_count >= s4data.sp_threshold) { s4_emergency.status = OPS_SELF_PRESERVATION; [..] Cheers, Matthew Watchinski Director, Vulnerability Research Sourcefire, Inc. Martin Olsson wrote:
What is "Emergency Ports" found in stream4_reassemble and when/how are they used? The "emergency ports" seem to be the default portlist, containing other ports than the ones I have specified with the "reassemble ports" directive... Example: Stream4_reassemble config: Server reassembly: ACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor Old Packet Sequence Overlap Limit: -1 Flush behavior: random Flush base: 512 Flush seed: 1137077499 Flush range: 1213 Ports: 20 21 23 25 53 80 110 111 143 513 1433 1521 3306 5432 6666 6667 8080 Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 /Martin ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Emergency Ports Martin Olsson (Jan 12)
- Re: Emergency Ports Matthew Watchinski (Jan 12)