[Snort-devel] Better Port Lists
Alex Butcher, ISC/ISYS
Alex.Butcher at ...2437...
Tue Jul 20 06:53:01 EDT 2004
--On 14 July 2004 21:44 +0000 "Sheppard Martin Contr AFRL/IFGB"
<Martin.Sheppard at ...2281...> wrote:
> I have been waiting for this for a few years also. sigh.. Haven't had
> the time to do it myself. Haven't seen any mention of a timeframe for
> implementation, but this feature request does show up on the list every so
> often. someday:)
> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net
> [mailto:snort-devel-admin at lists.sourceforge.net]On Behalf Of Lionel CONS
> There is one feature that we really miss in Snort which is the ability
> to declare arbitrary port lists/sets like 80,8000-8099,9000 (using the
> Nmap syntax).
My guess is that this hasn't been done because it would either require
comparing two 16KByte bitmaps (i.e. one bit for every port, both UDP and
TCP) for every packet analysed, or the analysis engine would have to use a
linked list to represent arbitrary ranges (i.e. start port, end port, "next
port range" pointer).
I suspect both would add significant per-packet overhead to the analysis.
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-devel