[Snort-users] Submit new detection engine?

stephane nasdrovisky stephane.nasdrovisky at ...4735...
Fri Jun 20 08:07:12 EDT 2003


One thing to consider instead of timing-out invited tcp sessions is to actively
check wether this session is still active or not. It can be done by sending an
ACK to both parties, if one party replies with a RST, the session is expired.
If you time-out tcp sessions, you'll potentially flood your log with plenty of
false+.

Neal wrote:

>   - A session times out after a period of inactivity.
>     - An invited session times out after 5 minutes.
>     - An uninvited session where my host replies times out after 5 minutes.
>     "Why 5 minutes?"  Many home routers timeout NAT sessions after 5
>     minutes.  If that's too short, let me know.
>     - An uninvited SYN times out after 30 seconds.
>     "Why 30 seconds?"  Prevents a SYN-ACK scan from hogging all session
>     slots.

Checkpoint firewall use different timeouts during the handshake phase (60
seconds), the fin handshake (50 seconds) and the remaining of packets exchange
(1 hour). It helps reducing the size of the sessions table, especially the
reduced syn/syn-ack/ack timeout.

>   - Currently, it tracks 65536+2 simultanious sessions.
>     (65536 ports + 2 more for good luck)
>     "Why a fixed number?"  Speed.  Dynamic data structures would really
>     slow down Snort.

Hash tables could lead your engine to dynamic & fast behaviour. Unfortunatly,
it could consume a lot of memory if not carefully analysed. Note that it would
not add any value to your engine if it targets home lans.

Note that I think snort-users is better suited for this kind of message.






More information about the Snort-users mailing list