[Snort-devel] [PATCH] filter on session age

Victor Julien victor at ...2603...
Mon Jul 24 08:18:59 EDT 2006


Kees Cook wrote:
> Hello!
> 
> This patch allows TCP session ages to be filtered.  This can let you 
> alert/drop on long-running connections.  For example:
> 
> drop tcp any any <> any any (msg: "Age over 60 seconds"; age:>60; resp:rst_all;)

Interesting idea!

In the current patch, I think there is an issue with packets without a 
session associated to it. This can happen when a session has timed out 
in stream4 and midstream session pickups are disabled. In that case 
'age' will be used uninitialized.

I suggest something like:

     if ((session=p->ssnptr)==NULL)
	return 0;

     age = session->last_session_time - session->start_time;

Instead of:

     if ((session=p->ssnptr)!=NULL) {
         age = session->last_session_time - session->start_time;
     }

I'll check this plugin out as soon as i have some free time, whenever 
that may be :-(

Cheers!
Victor




> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list