Re: [Snort-inline-users] logging of timed out connections in stream4

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hey Will,

I was thinking about implementing this myself, however i will be on a holiday 
the next two weeks, so i guess i will be to late by then ;-)

However i was wondering how you want to implement this. Which log facility do 
you plan to use? What information do you plan to log?

date- time, src_ip: src_port -> dst_ip:dst_port, tcp flags, action?

Something like this?

Regards,
Victor

On Wednesday 07 July 2004 16:49, William Metcalf wrote:
> This is correct, if stream4 does not have a session for packet p and the
> SYN flag is not set it will be dropped.  I'll try to add in the log_drops
> option to stream4 if I have time, but it might be a couple of days.
>
> Regards,
>
> Will
>
>
>
>              Victor Julien
>              <vi...@nk...>
>              Sent by:                                                   To
>              snort-inline-user         "Geffrey Velasquez [MINAG]"
>              s-...@li...u         <gve...@mi...>
>              rceforge.net                                               cc
>                                        sno...@li...urceforg
>                                        e.net
>              07/07/2004 09:27                                      Subject
>              AM                        Re: [Snort-inline-users] logging of
>                                        timed out connections in stream4
>
>
>
>
>
>
>
>
>
>
> On Wednesday 07 July 2004 16:17, Geffrey Velasquez [MINAG] wrote:
>
> <snip>
>
> > > Why? The snort_inline-fast file normally logs the reasons for
> > > dropping a connection...
> >
> > I'm using ACID, this log could be stored in the ACID DB? I prefer a
>
> simple
>
> > log file and alerts in the ACID DB... but maybe we could change that or
> > maybe I'm wrong...
>
> Well, when looking at the code, i came under the impression that the
> timeout
> is not the only trigger for dropping the connection at this point in the
> code. 'Connections' which don't start with a syn bit (aka scans) could also
>
> match... but i'm not sure about this, so maybe the author of it (Rob?)
> could
> clear this issue up?
>
> > > > > My idea would be to make the logging an option for the stream4
> > > > > preproc, with the default being not logging.
> > > > >
> > > > > Something like this:
> > > > > preprocessor stream4: disable_evasion_alerts, detect_scans, timeout
> > > > > 120, log_drops
>
> <snip>
>
> Regards,
> Victor
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users