Menu
▾
▴
Re: [Snort-inline-users] logging of timed out connections in stream4
|
From: Victor J. <vi...@nk...> - 2004-07-07 14:47:28
|
On Wednesday 07 July 2004 16:38, Geffrey Vel=E1squez wrote: > Victor Julien escribi=F3: > >On Wednesday 07 July 2004 16:17, Geffrey Velasquez [MINAG] wrote: > > > ><snip> > > > >>>Why? The snort_inline-fast file normally logs the reasons for > >>>dropping a connection... > >> > >>I'm using ACID, this log could be stored in the ACID DB? I prefer a > >> simple log file and alerts in the ACID DB... but maybe we could change > >> that or maybe I'm wrong... > > > >Well, when looking at the code, i came under the impression that the > > timeout is not the only trigger for dropping the connection at this poi= nt > > in the code. 'Connections' which don't start with a syn bit (aka scans) > > could also match... but i'm not sure about this, so maybe the author of > > it (Rob?) could clear this issue up? > > Victor, we are using the stateful inspection with Netfilter/Iptables, > and maybe we could disable the stream4 preprocessor, what is your > opinion. Maybe we could do some test with tools like stick and inject > packets in both scenarios, with stream4 enabled and disabled and rely on > Netfilter stateful inspection... Ehhhh...... Now i'm confused about the use of the stream4 preprocessor... i= s=20 it 'only' a stateful inspection engine? I guess in that case we wouldn't ne= ed=20 it when using Netfilter stateful inspection... or does it have other=20 advantages (oh well, i guess you want to test just that!) Will all rules work as they should when the stream4 preproc is disabled, an= d=20 we rely on iptables for the stateful inspection? Victor > > >>>>>My idea would be to make the logging an option for the stream4 > >>>>>preproc, with the default being not logging. > >>>>> > >>>>>Something like this: > >>>>>preprocessor stream4: disable_evasion_alerts, detect_scans, timeout > >>>>>120, log_drops > > > ><snip> > > > >Regards, > >Victor > > Regards. > Geffrey |
