[Snort-users] Stream4

Martin Roesch roesch at ...1935...
Mon Jan 28 18:51:15 EST 2002


On 1/28/02 5:43 PM, "Matt Jonkman" <matt at ...4024...> wrote:

> Where can I find more detailed documentation on stream4?
> 
> Specifically, I'm wondering if the setect_scans functionality replaces the
> abilities of the portscan preprocessor.

Not yet.  Right now it detects stealth scans and nmap fingerprint scanning,
but we don't have the code in to statefully pick up SYN scans.

IMHO, I think we should move to post-process detection of SYN/UDP scans by
utilizing the keep_stats function that stream4 supports, there's no burning
need for real-time detection of SYN scans in the general case (but that's
just me talking...)

> We'd prefer to use the stream4 plugin as it formats database entries
> correctly with source and dest IP making things much easier to research.
> 
> I can make stream4 alert on a very overt xmas scan, but nothing for a syn or
> tcp scan. Are there parameters to set to make it more sensitive?

Nope.  We've toyed with the idea of doing things like looking for short
sessions (SYN-SYNACK-RST, full connect with RST) and detecting just them,
we've also toyed with the idea of doing straight rate detection for SYN
packets.  Both methods have their ups and downs from a performance and
memory management perspective, which is why I've held off on implementing
them.

If you want to take a stab at implementing it, I'll take a look at what you
come up with.


     -Marty

-- 
Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list