[Snort-sigs] Submit new detection engine?
nealk at ...1616...
Thu Jun 19 09:18:11 EDT 2003
How do I submit a new snort detection engine plugin?
It is a detection-engine called "uninvited".
It looks for any inbound packets that are not part of a reply.
Here's what it looks for:
- Any packets not to or from the host (-h) are "uninvited".
Rational: The packet made it to my system without an invitation.
Since I didn't ask for them to send packets to me, they are
- Any packet sessions that originate (e.g., TCP SYN) from my host
I keep track of src, dst, port, and protocol (s/d/p/p).
The first time a s/d/p/p is seen, I check if the src is from my host.
If it is, then all s/d/p/p are "invited" (not logged).
Otherwise, the entire session is "uninvited" (logged).
NOTE: "uninvited" is not the same as "unwelcome". My firewall
allows SSH connections to come in, but I still want to log the
- A session times out after a period of inactivity.
- An invited session times out after 5 minutes.
- An uninvited session where my host replies times out after 5 minutes.
"Why 5 minutes?" Many home routers timeout NAT sessions after 5
minutes. If that's too short, let me know.
- An uninvited SYN times out after 30 seconds.
"Why 30 seconds?" Prevents a SYN-ACK scan from hogging all session
- Currently, it tracks 65536+2 simultanious sessions.
(65536 ports + 2 more for good luck)
"Why a fixed number?" Speed. Dynamic data structures would really
slow down Snort.
"Why would you want this in the first place?"
My home firewall only logs failed packets (date/time/source).
It doesn't log the packet contents.
It doesn't log random packets (e.g., ACK without SYN).
And since I'm on a cable-modem, nobody from outside should be trying
to come in anyway. When they do try to come in, I want to know and
Is the snort project interested in this detection engine?
Please let me know how to submit it.
-Dr. Neal Krawetz
More information about the Snort-sigs