Menu
▾
▴
Re: [Snort-inline-users] logging of timed out connections in stream4
|
From: Geffrey V. [MINAG] <gve...@mi...> - 2004-07-07 14:18:01
|
---------- Original Message ----------- From: Victor Julien <vi...@nk...> To: "Geffrey Velasquez [MINAG]" <gve...@mi...> Cc: sno...@li... Sent: Wed, 7 Jul 2004 16:12:16 +0200 Subject: Re: [Snort-inline-users] logging of timed out connections in stream4 > Hi Geffrey, > > On Wednesday 07 July 2004 16:07, Geffrey Velasquez [MINAG] wrote: > > ---------- Original Message ----------- > > From: Victor Julien <vi...@nk...> > > To: sno...@li... > > Sent: Wed, 7 Jul 2004 14:33:46 +0200 > > Subject: [Snort-inline-users] logging of timed out connections in stream4 > > > > > Hi list, > > > > > > After some discussions earlier on this list i came to the conclusion > > > that it would be nice to log dropped connections in the stream4 > > > preprocessor that are dropped because of timeouts in the stream4 > > > preprocessor. > > > > > > I noticed myself that if the timeout value for the stream4 > > > preprocessor is too low some services, like msn, won't work > > > correctly. And altough it can be solved by increasing the timeout > > > value i think a firewall should be able to log all drop-decisions. > > > > > > So i looked at the stream4.c from snort_inline 2.1.3a and noticed > > > that if a session is not found ((ssn = GetSession) == NULL), and the > > > packet is not a syn-packet, the packet is dropped using InlineDrop() > > > on line 1759. So i guess i could add some (optional) logging > > > function right there, correct? > > > > > > Any ideas how this should be logged? In sessions.log? Or syslog? Or > > > snort_inline-fast? Or... > > > > Could be in a file called sessions.log, not in the snort_inline-fast. > > Why? The snort_inline-fast file normally logs the reasons for > dropping a connection... > I'm using ACID, this log could be stored in the ACID DB? I prefer a simple log file and alerts in the ACID DB... but maybe we could change that or maybe I'm wrong... > > > > > My idea would be to make the logging an option for the stream4 > > > preproc, with the default being not logging. > > > > > > Something like this: > > > preprocessor stream4: disable_evasion_alerts, detect_scans, timeout > > > 120, log_drops > > > > > > Regards, > > > Victor > > > > > > ------------------------------------------------------- > > > This SF.Net email sponsored by Black Hat Briefings & Training. > > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > > digital self defense, top technical experts, no vendor pitches, > > > unmatched networking opportunities. Visit www.blackhat.com > > > _______________________________________________ > > > Snort-inline-users mailing list > > > Sno...@li... > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > ------- End of Original Message ------- > > > > > > Regards, > > Geffrey > > Regards, > Victor ------- End of Original Message ------- |
