[Snort-users] Taking out the traffic on ports 22 and 443 suggestive?

Erek Adams erek at ...950...
Wed Apr 23 08:53:10 EDT 2003


On Wed, 23 Apr 2003, Edin Dizdarevic wrote:

> I was wondering if it would make sense to relief Snort by taking
> out the ports 22 and 443 using the BPF filters. HTTP(S) packets are
> usually quite big and looking inside of them is quite senseless for
> obvious reasons. With SSH stream4 is additionally burdened since those
> packets are usually quite small and are filling up it's memory waiting
> to be reassembled. Senseless too, IMHO...

Yep.  Very, very true.  Losing those ports could be a really good thing,
esp. if your network has large amounts of traffic on those ports.

> Of course scans won't be seen, but is that really important since
> a simple connect scan will find those ports open?

*shrug*  You can tweak the BPF filters in quite a few ways.  You could
look for just PUS and ACK packets on one of those ports.  That would cut
down the amount of data you had to look at, but still having some ability
to deal with scans.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list