[Snort-sigs] Submit new detection engine?

Neal nealk at ...1616...
Thu Jun 19 09:18:11 EDT 2003


Hi,

How do I submit a new snort detection engine plugin?

It is a detection-engine called "uninvited".
It looks for any inbound packets that are not part of a reply.

Here's what it looks for:
  - Any packets not to or from the host (-h) are "uninvited".
    Rational: The packet made it to my system without an invitation.
    Since I didn't ask for them to send packets to me, they are
    uninvited.

  - Any packet sessions that originate (e.g., TCP SYN) from my host
    are "invited".
    I keep track of src, dst, port, and protocol (s/d/p/p).
    The first time a s/d/p/p is seen, I check if the src is from my host.
    If it is, then all s/d/p/p are "invited" (not logged).
    Otherwise, the entire session is "uninvited" (logged).
    NOTE: "uninvited" is not the same as "unwelcome".  My firewall
    allows SSH connections to come in, but I still want to log the
    entire session.

  - A session times out after a period of inactivity.
    - An invited session times out after 5 minutes.
    - An uninvited session where my host replies times out after 5 minutes.
    "Why 5 minutes?"  Many home routers timeout NAT sessions after 5
    minutes.  If that's too short, let me know.
    - An uninvited SYN times out after 30 seconds.
    "Why 30 seconds?"  Prevents a SYN-ACK scan from hogging all session
    slots.

  - Currently, it tracks 65536+2 simultanious sessions.
    (65536 ports + 2 more for good luck)
    "Why a fixed number?"  Speed.  Dynamic data structures would really
    slow down Snort.

"Why would you want this in the first place?"
My home firewall only logs failed packets (date/time/source).
It doesn't log the packet contents.
It doesn't log random packets (e.g., ACK without SYN).
And since I'm on a cable-modem, nobody from outside should be trying
to come in anyway.  When they do try to come in, I want to know and
capture it.

Is the snort project interested in this detection engine?
Please let me know how to submit it.

					-Dr. Neal Krawetz





More information about the Snort-sigs mailing list