[Snort-users] Taking out the traffic on ports 22 and 443 suggestive?

Brian bmc at ...950...
Thu Apr 24 09:08:06 EDT 2003


On Wed, Apr 23, 2003 at 04:28:34PM +0200, Edin Dizdarevic wrote:
> I was wondering if it would make sense to relief Snort by taking
> out the ports 22 and 443 using the BPF filters. HTTP(S) packets are
> usually quite big and looking inside of them is quite senseless for
> obvious reasons. With SSH stream4 is additionally burdened since those
> packets are usually quite small and are filling up it's memory waiting
> to be reassembled. Senseless too, IMHO...
> 
> Of course scans won't be seen, but is that really important since
> a simple connect scan will find those ports open?

Well, you will miss attacks before the encryption is setup.  (Which
there have been a few)

If you are really concerned, you can [ab]use httpflow to ignore
sessions after a specific number of bytes.  In the following example, 
snort will start ignoring packets in sessions after 1000 bytes on port
22 and 443.

   preprocessor httpflow: depth 1000 ports 22 443

-brian




More information about the Snort-users mailing list