[Snort-devel] Re: Better Port Lists

nick black dank at ...2617...
Mon Aug 23 09:19:20 EDT 2004


On 2004-07-20, Alex Butcher, ISC/ISYS <Alex.Butcher at ...2437...> wrote:
> My guess is that this hasn't been done because it would either require 
> comparing two 16KByte bitmaps (i.e. one bit for every port, both UDP and 
> TCP) for every packet analysed, or the analysis engine would have to use a 
> linked list to represent arbitrary ranges (i.e. start port, end port, "next 
> port range" pointer).

yes ... if rules are specified for, say, every odd port.  coded
properly for memory access, you're talking a few indirections and
branches.  if rule authors wish to DoS themselves, there's easier ways.

-- 
nick black                  "np:  the class of dashed hopes and idle dreams."





More information about the Snort-devel mailing list