Menu
▾
▴
[Snort-inline-users] logging of timed out connections in stream4
|
From: Victor J. <vi...@nk...> - 2004-07-07 12:33:55
|
Hi list, After some discussions earlier on this list i came to the conclusion that it would be nice to log dropped connections in the stream4 preprocessor that are dropped because of timeouts in the stream4 preprocessor. I noticed myself that if the timeout value for the stream4 preprocessor is too low some services, like msn, won't work correctly. And altough it can be solved by increasing the timeout value i think a firewall should be able to log all drop-decisions. So i looked at the stream4.c from snort_inline 2.1.3a and noticed that if a session is not found ((ssn = GetSession) == NULL), and the packet is not a syn-packet, the packet is dropped using InlineDrop() on line 1759. So i guess i could add some (optional) logging function right there, correct? Any ideas how this should be logged? In sessions.log? Or syslog? Or snort_inline-fast? Or... My idea would be to make the logging an option for the stream4 preproc, with the default being not logging. Something like this: preprocessor stream4: disable_evasion_alerts, detect_scans, timeout 120, log_drops Regards, Victor |
