[Snort-devel] Implementing timeouts in Snort

Devdutt Patnaik xendevid at ...2499...
Tue Oct 21 17:27:28 EDT 2008


Well, I faced the same problem once earlier. I don't want to depend on the
packet driven mechanism to drive my timeout logic.
I am not using snort to generate these packets. I'm just looking at the
packets as they arrive.

Any ideas ?

-Devdutt.

On Tue, Oct 21, 2008 at 4:45 PM, Steven Sturges <
steve.sturges at ...402...> wrote:

> What I mentioned was inherent with using the stream API based on
> the timeouts configured for the TCP sessions.
>
> Remember that Snort is packet based, so you can really only operate
> when a packet comes in.  You could just store the data in the
> session, and then if a response comes back beyond your configured
> interval, have the preprocessor clear the state data as needed.
>
> Are you using Snort to send out the challenge and process the
> response data, or is that a separate application?  Might be able
> to use some flowbits and a threshold configured for a set of
> related rules to accomplish this as well... Not sure of the details
> of your protocol, so I can't say for certain.
>
> Cheers.
> -steve
>
> Devdutt Patnaik wrote:
> > Hi Steve,
> >
> > Does it mean that there is an inbuilt timer in Snort that I can invoke
> > using the conf file ?
> > Or what you mention is relevant to the stream API that handles timeouts
> > by itself based on TCP sessions.
> >
> > I want to be able to code up something like an authentication scenario
> > eg. I get a request following which I send out a challenge and wait for
> > the response for an interval of 5 seconds. If no response comes back for
> > the challenge, I would just clean up the state that I created prior to
> > sending out the challenge.
> >
> > Do let me know.
> >
> > Thanks
> > Devdutt.
> >
> > On Tue, Oct 21, 2008 at 8:39 AM, Steven Sturges
> > <steve.sturges at ...402... <mailto:steve.sturges at ...402...>>
> wrote:
> >
> >     Hi Devdutt--
> >
> >     Depending on what protocols your preprocessor is using, you
> >     can leverage the stream API and store data that is associated
> >     with the TCP or UDP session structure.
> >
> >     The data is then freed (providing you specify a free
> >     function) when the session is terminated -- via timeout or
> >     normal TCP FIN/FIN-ACK/etc.
> >
> >     Cheers.
> >     -steve
> >
> >     Devdutt Patnaik wrote:
> >     > Hi All,
> >     >
> >     > I am currently working on a preprocessor plugin that needs to keep
> >     some
> >     > state but will discard it upon a timeout.
> >     >
> >     > I have some experience with snort and have previously written a
> state
> >     > machine based preprocessor plugin.
> >     > However I didn't have to use timeouts until now. All the logic was
> >     just
> >     > based on incoming packet events ie. asynchronous, wherein the
> packet
> >     > arrival events would allow/trigger my logic to execute.
> >     > In the timer case I need to get some code to run without triggers
> from
> >     > incoming packets.
> >     >
> >     > I looked at the snort.conf file and preprocessors like frag3 do use
> >     > timers/timeouts. However it isnt clear how they are implemented in
> >     the code.
> >     >
> >     > Can some one give me a few tips/hints so that I could understand
> how I
> >     > could implement timeouts/timers in Snort.
> >     >
> >     > Thanks,
> >     > Devdutt.
> >     >
> >     >
> >     >
> >
> ------------------------------------------------------------------------
> >     >
> >     >
> >
> -------------------------------------------------------------------------
> >     > This SF.Net email is sponsored by the Moblin Your Move Developer's
> >     challenge
> >     > Build the coolest Linux based applications with Moblin SDK & win
> >     great prizes
> >     > Grand prize is a trip for two to an Open Source event anywhere in
> >     the world
> >     > http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >     <http://moblin-contest.org/redirect.php?banner_id=100&url=/>
> >     >
> >     >
> >     >
> >
> ------------------------------------------------------------------------
> >     >
> >     > _______________________________________________
> >     > Snort-devel mailing list
> >     > Snort-devel at lists.sourceforge.net
> >     <mailto:Snort-devel at lists.sourceforge.net>
> >     > https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20081021/a9f3fa22/attachment.html>


More information about the Snort-devel mailing list