Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Emergency Ports

from [Matthew Watchinski] Network Security [Permanent Link]
Subject: Re: [Snort-users] Emergency Ports
Date: Thu, 12 Jan 2006 12:09:32 -0500
If "state_protection" is enabled then emergency ports is the list of ports to do reassembly on, when in self preservation conditions. These are the ports we view as "necessary" for catching exploits during bad traffic conditions.

/* initialize the self preservation counters */
    s4data.sp_threshold      = SELF_PRES_THRESHOLD;
    s4data.sp_period         = SELF_PRES_PERIOD;
    s4data.suspend_threshold = SUSPEND_THRESHOLD;
    s4data.suspend_period    = SUSPEND_PERIOD;
    s4data.state_protection  = 0;

[..snip..]

else if(!strcasecmp(stoks[0], "state_protection"))
{
    s4data.state_protection = 1;
}

[..snip..]


/*
             * keep track of how many sessions per second we're creating
             * vs. the number of data packets per second we get on
             * those sessions
*/
if(s4data.state_protection)
    ++s4_emergency.new_session_count;

[..snip..]

else if(s4_emergency.new_session_count >= s4data.sp_threshold)
{
    s4_emergency.status = OPS_SELF_PRESERVATION;

[..]

Cheers,
Matthew Watchinski
Director, Vulnerability Research
Sourcefire, Inc.

Martin Olsson wrote: 
What is "Emergency Ports" found in stream4_reassemble and when/how are
they used?
The "emergency ports" seem to be the default portlist, containing
other ports than the ones I have specified with the "reassemble ports"
directive...

Example:

Stream4_reassemble config:
    Server reassembly: ACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    Flush stream on alert: INACTIVE
    flush_data_diff_size: 500
    Reassembler Packet Preferance : Favor Old
    Packet Sequence Overlap Limit: -1
    Flush behavior: random
    Flush base: 512
    Flush seed: 1137077499
    Flush range: 1213
    Ports: 20 21 23 25 53 80 110 111 143 513 1433 1521 3306 5432 6666 6667 8080
    Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 
1521 3306

/Martin



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Snort-users] Flow Established Help, Ramon L. Fernandez
Next by Date:  [Snort-users] EUSecWest papers and CanSecWest CFP, Dragos Ruiu
Previous by Thread:  [Snort-users] Emergency Ports, Martin Olsson
Next by Thread:  [Snort-users] Barnyard crash, Humes, David G.
Indexes:  [Date] [Thread] [Top] [All Lists]