[Snort-sigs] Submit new detection engine?
daniel_clemens at ...842...
Thu Jun 19 09:29:13 EDT 2003
Why don't you use another firewall or log incoming and outgoing packets on
On Tue, 17 Jun 2003, Neal wrote:
> How do I submit a new snort detection engine plugin?
> It is a detection-engine called "uninvited".
> It looks for any inbound packets that are not part of a reply.
> Here's what it looks for:
> - Any packets not to or from the host (-h) are "uninvited".
> Rational: The packet made it to my system without an invitation.
> Since I didn't ask for them to send packets to me, they are
> - Any packet sessions that originate (e.g., TCP SYN) from my host
> are "invited".
> I keep track of src, dst, port, and protocol (s/d/p/p).
> The first time a s/d/p/p is seen, I check if the src is from my host.
> If it is, then all s/d/p/p are "invited" (not logged).
> Otherwise, the entire session is "uninvited" (logged).
> NOTE: "uninvited" is not the same as "unwelcome". My firewall
> allows SSH connections to come in, but I still want to log the
> entire session.
> - A session times out after a period of inactivity.
> - An invited session times out after 5 minutes.
> - An uninvited session where my host replies times out after 5 minutes.
> "Why 5 minutes?" Many home routers timeout NAT sessions after 5
> minutes. If that's too short, let me know.
> - An uninvited SYN times out after 30 seconds.
> "Why 30 seconds?" Prevents a SYN-ACK scan from hogging all session
> - Currently, it tracks 65536+2 simultanious sessions.
> (65536 ports + 2 more for good luck)
> "Why a fixed number?" Speed. Dynamic data structures would really
> slow down Snort.
> "Why would you want this in the first place?"
> My home firewall only logs failed packets (date/time/source).
> It doesn't log the packet contents.
> It doesn't log random packets (e.g., ACK without SYN).
> And since I'm on a cable-modem, nobody from outside should be trying
> to come in anyway. When they do try to come in, I want to know and
> capture it.
> Is the snort project interested in this detection engine?
> Please let me know how to submit it.
> -Dr. Neal Krawetz
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU Hosting Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
> INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
-Daniel Uriah Clemens
Esse quam videra
(to be, rather than to appear)
http://www.birmingham-infragard.org | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760 EA1F 0424 6DF6 F662 F5BD
More information about the Snort-sigs