[Snort-devel] Better Port Lists
roesch at ...402...
Tue Aug 3 20:40:03 EDT 2004
We need to build a fast port lookup database thing
(heap/cache/whatever) so that we can do fast lookups and minimize the
amount of memory. Obviously I haven't put too much thought into it
because shoehorning it into the existing system would be a PITA (on the
order of what happened when we added IP lists).
Anyway, we've got some fairly significant work on the drawing board for
doing target-based IDS and getting port lists in there will be part of
it, have no fear. :)
On Jul 20, 2004, at 9:52 AM, Alex Butcher, ISC/ISYS wrote:
> --On 14 July 2004 21:44 +0000 "Sheppard Martin Contr AFRL/IFGB"
> <Martin.Sheppard at ...2281...> wrote:
>> I have been waiting for this for a few years also. sigh.. Haven't
>> the time to do it myself. Haven't seen any mention of a timeframe for
>> implementation, but this feature request does show up on the list
>> every so
>> often. someday:)
>> -----Original Message-----
>> From: snort-devel-admin at lists.sourceforge.net
>> [mailto:snort-devel-admin at lists.sourceforge.net]On Behalf Of Lionel
>> There is one feature that we really miss in Snort which is the ability
>> to declare arbitrary port lists/sets like 80,8000-8099,9000 (using the
>> Nmap syntax).
> My guess is that this hasn't been done because it would either require
> comparing two 16KByte bitmaps (i.e. one bit for every port, both UDP
> and TCP) for every packet analysed, or the analysis engine would have
> to use a linked list to represent arbitrary ranges (i.e. start port,
> end port, "next port range" pointer).
> I suspect both would add significant per-packet overhead to the
> Best Regards,
> Alex Butcher: Security & Integrity, Personal Computer Systems Group
> Information Systems and Computing GPG Key ID: F9B27DC9
> GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel