No subject

Thu Nov 23 16:36:19 EST 2017

conversation timeout: "Defaulting to 120, this defines the time in
seconds for which the conversation preprocessor maintains information.
After timeout seconds of inactivity, a conversation may be pruned to
save resources"

portscan2 timeout: "Defaulting to 60, this parameter sets a time in
seconds that any scanning data will last.  If this time is exceeded
without any activity from a host, data may be pruned."

For the conversation timeout, does it keep X seconds of information
for each conversation?  Or does it wait for X seconds of 'quiet'
before dumping the conversation to that point?  For example if either
host sends a packet at time=1 and not again until time=X-1, will the
packet from time=1 be kept at time=X+2?  If a conversation continues
on for a very long time, at what point does the preprocessor start
pruning?  Same questions for the portscan2 timeout as well.

And finally, how do these two timeout parameters affect each other?  I
know portscan2 is supposed to be dependent on conversation, so how do
the timeout parameters work together (or not)?

Just trying to understand things a bit better.  Hopefully this isn't
too stupid of a question :) Thanks for any help in advance.



More information about the Snort-users mailing list