Menu
▾
▴
Re: [Snort-inline-users] logging of timed out connections in stream4
|
From: Victor J. <vi...@nk...> - 2004-07-07 14:12:35
|
Hi Geffrey, On Wednesday 07 July 2004 16:07, Geffrey Velasquez [MINAG] wrote: > ---------- Original Message ----------- > From: Victor Julien <vi...@nk...> > To: sno...@li... > Sent: Wed, 7 Jul 2004 14:33:46 +0200 > Subject: [Snort-inline-users] logging of timed out connections in stream4 > > > Hi list, > > > > After some discussions earlier on this list i came to the conclusion > > that it would be nice to log dropped connections in the stream4 > > preprocessor that are dropped because of timeouts in the stream4 > > preprocessor. > > > > I noticed myself that if the timeout value for the stream4 > > preprocessor is too low some services, like msn, won't work > > correctly. And altough it can be solved by increasing the timeout > > value i think a firewall should be able to log all drop-decisions. > > > > So i looked at the stream4.c from snort_inline 2.1.3a and noticed > > that if a session is not found ((ssn = GetSession) == NULL), and the > > packet is not a syn-packet, the packet is dropped using InlineDrop() > > on line 1759. So i guess i could add some (optional) logging > > function right there, correct? > > > > Any ideas how this should be logged? In sessions.log? Or syslog? Or > > snort_inline-fast? Or... > > Could be in a file called sessions.log, not in the snort_inline-fast. Why? The snort_inline-fast file normally logs the reasons for dropping a connection... > > > My idea would be to make the logging an option for the stream4 > > preproc, with the default being not logging. > > > > Something like this: > > preprocessor stream4: disable_evasion_alerts, detect_scans, timeout > > 120, log_drops > > > > Regards, > > Victor > > > > ------------------------------------------------------- > > This SF.Net email sponsored by Black Hat Briefings & Training. > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > digital self defense, top technical experts, no vendor pitches, > > unmatched networking opportunities. Visit www.blackhat.com > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > ------- End of Original Message ------- > > > Regards, > Geffrey Regards, Victor |
