[Snort-sigs] Submit new detection engine?

daniel.clemens daniel_clemens at ...842...
Thu Jun 19 09:29:13 EDT 2003

Why don't you use another firewall or log incoming and outgoing packets on
the firewall?

On Tue, 17 Jun 2003, Neal wrote:

> Hi,
> How do I submit a new snort detection engine plugin?
> It is a detection-engine called "uninvited".
> It looks for any inbound packets that are not part of a reply.
> Here's what it looks for:
>   - Any packets not to or from the host (-h) are "uninvited".
>     Rational: The packet made it to my system without an invitation.
>     Since I didn't ask for them to send packets to me, they are
>     uninvited.
>   - Any packet sessions that originate (e.g., TCP SYN) from my host
>     are "invited".
>     I keep track of src, dst, port, and protocol (s/d/p/p).
>     The first time a s/d/p/p is seen, I check if the src is from my host.
>     If it is, then all s/d/p/p are "invited" (not logged).
>     Otherwise, the entire session is "uninvited" (logged).
>     NOTE: "uninvited" is not the same as "unwelcome".  My firewall
>     allows SSH connections to come in, but I still want to log the
>     entire session.
>   - A session times out after a period of inactivity.
>     - An invited session times out after 5 minutes.
>     - An uninvited session where my host replies times out after 5 minutes.
>     "Why 5 minutes?"  Many home routers timeout NAT sessions after 5
>     minutes.  If that's too short, let me know.
>     - An uninvited SYN times out after 30 seconds.
>     "Why 30 seconds?"  Prevents a SYN-ACK scan from hogging all session
>     slots.
>   - Currently, it tracks 65536+2 simultanious sessions.
>     (65536 ports + 2 more for good luck)
>     "Why a fixed number?"  Speed.  Dynamic data structures would really
>     slow down Snort.
> "Why would you want this in the first place?"
> My home firewall only logs failed packets (date/time/source).
> It doesn't log the packet contents.
> It doesn't log random packets (e.g., ACK without SYN).
> And since I'm on a cable-modem, nobody from outside should be trying
> to come in anyway.  When they do try to come in, I want to know and
> capture it.
> Is the snort project interested in this detection engine?
> Please let me know how to submit it.
> 					-Dr. Neal Krawetz
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU Hosting Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
> INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

-Daniel Uriah Clemens

Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD

More information about the Snort-sigs mailing list