[Snort-devel] [PATCH] filter on session age
victor at ...2603...
Tue Jul 25 02:56:27 EDT 2006
Kees Cook wrote:
> On Mon, Jul 24, 2006 at 02:18:59PM +0200, Victor Julien wrote:
>> Interesting idea!
>> In the current patch, I think there is an issue with packets without a
>> session associated to it. This can happen when a session has timed out
>> in stream4 and midstream session pickups are disabled. In that case
>> 'age' will be used uninitialized.
> Actually, "session" got re-tested in the next "if", so age wouldn't end
> up tested in an uninitialized state. I arranged it this way to make
> sure the DEBUG section would get run no matter what.
Whoops, missed that part.
> For clarity, I've re-arranged it, with the new patch attached.
It looks good to me.
>> I'll check this plugin out as soon as i have some free time, whenever
>> that may be :-(
> Great! Thanks again,
Maybe a future enhancement: possibly you can support non-tcp traffic by
working with information from the flow engine. I could imagine this
being useful for detecting nodes using media streams, voip, etc. Just a
More information about the Snort-devel