[Snort-devel] [PATCH] filter on session age

Victor Julien victor at ...2603...
Tue Jul 25 02:56:27 EDT 2006


Kees Cook wrote:
> On Mon, Jul 24, 2006 at 02:18:59PM +0200, Victor Julien wrote:
>> Interesting idea!
> 
> Thanks!
> 
>> In the current patch, I think there is an issue with packets without a 
>> session associated to it. This can happen when a session has timed out 
>> in stream4 and midstream session pickups are disabled. In that case 
>> 'age' will be used uninitialized.
> 
> Actually, "session" got re-tested in the next "if", so age wouldn't end 
> up tested in an uninitialized state.  I arranged it this way to make 
> sure the DEBUG section would get run no matter what.

Whoops, missed that part.

> For clarity, I've re-arranged it, with the new patch attached.

It looks good to me.

> 
>> I'll check this plugin out as soon as i have some free time, whenever 
>> that may be :-(
> 
> Great!  Thanks again,
> 

Maybe a future enhancement: possibly you can support non-tcp traffic by 
working with information from the flow engine. I could imagine this 
being useful for detecting nodes using media streams, voip, etc. Just a 
thought...

Regards,
Victor




More information about the Snort-devel mailing list