[Snort-devel] Re: Better Port Lists
dank at ...2617...
Mon Aug 23 09:19:20 EDT 2004
On 2004-07-20, Alex Butcher, ISC/ISYS <Alex.Butcher at ...2437...> wrote:
> My guess is that this hasn't been done because it would either require
> comparing two 16KByte bitmaps (i.e. one bit for every port, both UDP and
> TCP) for every packet analysed, or the analysis engine would have to use a
> linked list to represent arbitrary ranges (i.e. start port, end port, "next
> port range" pointer).
yes ... if rules are specified for, say, every odd port. coded
properly for memory access, you're talking a few indirections and
branches. if rule authors wish to DoS themselves, there's easier ways.
nick black "np: the class of dashed hopes and idle dreams."
More information about the Snort-devel