[Snort-users] modular design.

Jason Robertson jason at ...734...
Wed Nov 8 15:56:02 EST 2000


Hey Fyodor

I see you decided to do the dynamic modules as I requested for.

Now I have to spend time to build an audit module.  To allow for quick 
auditting of at least connections..

Though has anyone noticed that MS based browsers have a slight problem (I 
think it relates to wininet.dll), in that when a browser closes a session, it 
uses a RST flag instead of a FIN flag.  Which could be a problem with old 
web  servers, I know linux 2.0.34 would leave a large number of connections 
sitting waiting for something after a RST. and they would be infinetly held 
open.

> Date: Tue, 7 Nov 2000 15:48:18 +0700
> From: Fyodor <fygrave at ...121...>
> To: Kenny Elmore <Kenny.Elmore at ...758...>
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Multiple triggers on portscan plugin
> snort-users at lists.sourceforge.net
> 
> 
> > preprocessor portscan: $HOME_NET 10 1  /opt/snort/logs/ps.log
> > preprocessor portscan: $HOME_NET 25 10 /opt/snort/logs/ps.log
> > preprocessor portscan: $HOME_NET 120 120 /opt/snort/logs/ps.log
> > preprocessor portscan-ignorehosts: $IGNORE_HOSTS
> > 
> 
> If you can wait with this until we finish dynamically loadable modules 
> implementation, multiple initialisation of preprocessors/plugins should be
> possible there.
> 


---
Jason Robertson                
Network Analyst            
jason at ...734...    
http://www.astroadvice.com      



More information about the Snort-users mailing list