[Snort-devel] Stateful Snort?

Fyodor fygrave at ...1...
Wed Jun 20 07:34:45 EDT 2001


> Pardon me for being clueless, but its been a _long_ day...
> 
> Does snort keep state?  If I read the code correctly, it doesn't.  But, it's
> late and my brain is coffeless.
> 

Nope it doesn't do stateful inspection. Not in this sense. (see below)

> due to IDS admins not properly excluding their own DNS servers from the
> "DNS source porting attack".  However, that's not what is going on here.
> 
> >
> > The most likely explanation is that Snort "lost state" on your outgoing DNS
> > queries, because I.gtld-servers.net is taking too long to answer.
> 
> I don't think DNS is one of the items Snort keeps state on.
> 

Correct. Snort doesn't keep state of the DNS queries. All it does is
ignoring UDP packets to port 53 of your DNS servers from your internal
network (which is basically the matter of tuning configuration/rules,
not the snort itself).

-F
-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1




More information about the Snort-devel mailing list