Matt Kettler wrote:
No, this is a port_limit exceeded issue, not a nubmer of targets issue.
It doesn't matter how many machines are on my lan, or if the number of
them is greater than targets_max. The number of targets in the alert is
1 :)
Are you absolutely sure :-)
I understand the situation completely. Questions are sometimes intended
to get information as much as they are intended to get a thought rolling.
so, a look at the docs shows
targets_max - number of nodes to allocate to represent hosts
We can see that the setting targets_max limits the "number of nodes
created to represent hosts"
Why would you need to know targets_max unless a structure of some sort
is used and you wanted to limit its size?
Why would you need a structure for the target host nodes?
Maybe it is all to track these state issues like a syn originating from
the home network first.
besides the initial comments in the code...
/* state based portscan detector
* by Jed Haile <jhaile@nitrodata.com>
* version 0.0.1
* todo: 1. track timestamp, src, dst, proto, sport/icode,
dport/itype, length
*/
So, if one purpose happens to be a "state based portscan detector" to
help eliminate the case you present then if there are not enough nodes
in the struct to represent your net it would stand to reason that there
is no way to track that this Syn Ack corresponds to a Syn originating
from you.
Now I would think that since portscan2 is used by conversation whose
purpose is to "allow Snort to get basic conversation status on protocols
rather than just with TCP as done in spp_stream4" the information is
likely available and that the settings here could also have an impact on
how this situation is handled.
Conversation might also be used to enable tracking of UDP meta state so
that DNS servers can be handled a lot better or even scans on odd funky
rarely used protocols.
I figure these things are all in the minds of the developers and I will
bet you that the answers are clearly in the code ;-)
-J
[snip rest]
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users