[Snort-devel] Better Port Lists

Martin Roesch roesch at ...402...
Tue Aug 3 20:40:03 EDT 2004


We need to build a fast port lookup database thing 
(heap/cache/whatever) so that we can do fast lookups and minimize the 
amount of memory.  Obviously I haven't put too much thought into it 
because shoehorning it into the existing system would be a PITA (on the 
order of what happened when we added IP lists).

Anyway, we've got some fairly significant work on the drawing board for 
doing target-based IDS and getting port lists in there will be part of 
it, have no fear. :)

       -Marty


On Jul 20, 2004, at 9:52 AM, Alex Butcher, ISC/ISYS wrote:

>
>
> --On 14 July 2004 21:44 +0000 "Sheppard Martin Contr AFRL/IFGB" 
> <Martin.Sheppard at ...2281...> wrote:
>
>> I have been waiting for this for a few years also.  sigh..  Haven't 
>> had
>> the time to do it myself.  Haven't seen any mention of a timeframe for
>> implementation, but this feature request does show up on the list 
>> every so
>> often.  someday:)
>>
>> -----Original Message-----
>> From: snort-devel-admin at lists.sourceforge.net
>> [mailto:snort-devel-admin at lists.sourceforge.net]On Behalf Of Lionel 
>> CONS
>
> [snip]
>
>> There is one feature that we really miss in Snort which is the ability
>> to declare arbitrary port lists/sets like 80,8000-8099,9000 (using the
>> Nmap syntax).
>
> My guess is that this hasn't been done because it would either require 
> comparing two 16KByte bitmaps (i.e. one bit for every port, both UDP 
> and TCP) for every packet analysed, or the analysis engine would have 
> to use a linked list to represent arbitrary ranges (i.e. start port, 
> end port, "next port range" pointer).
>
> I suspect both would add significant per-packet overhead to the 
> analysis.
>
> Best Regards,
> Alex.
> -- 
> Alex Butcher: Security & Integrity, Personal Computer Systems Group
> Information Systems and Computing             GPG Key ID: F9B27DC9
> GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list