Thu Nov 23 16:36:19 EST 2017
conversation timeout: "Defaulting to 120, this defines the time in
seconds for which the conversation preprocessor maintains information.
After timeout seconds of inactivity, a conversation may be pruned to
portscan2 timeout: "Defaulting to 60, this parameter sets a time in
seconds that any scanning data will last. If this time is exceeded
without any activity from a host, data may be pruned."
For the conversation timeout, does it keep X seconds of information
for each conversation? Or does it wait for X seconds of 'quiet'
before dumping the conversation to that point? For example if either
host sends a packet at time=1 and not again until time=X-1, will the
packet from time=1 be kept at time=X+2? If a conversation continues
on for a very long time, at what point does the preprocessor start
pruning? Same questions for the portscan2 timeout as well.
And finally, how do these two timeout parameters affect each other? I
know portscan2 is supposed to be dependent on conversation, so how do
the timeout parameters work together (or not)?
Just trying to understand things a bit better. Hopefully this isn't
too stupid of a question :) Thanks for any help in advance.
More information about the Snort-users