File: README.flow

package info (click to toggle)
snort 2.3.3-11
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 22,512 kB
  • ctags: 11,344
  • sloc: ansic: 70,967; sh: 4,848; makefile: 748; perl: 478; sql: 212
file content (32 lines) | stat: -rw-r--r-- 1,002 bytes parent folder | download | duplicates (3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
The Flow tracking module is meant to start unifying the state keeping
mechanisms of snort into a single place. Right now, only a portscan
detector is implemented but in the long term,  many of the stateful
subsystems of snort will be migrated over to becoming flow plugins.

An IPv4 flow is defined as a unique(IPPROTO,SIP,DIP,DPORT,SPORT)

     the DPORT and SPORT are 0 unless the protocol is TCP or UDP

memcap
   number of bytes to allocate

rows
   number of rows for the flow hash table

stats_interval

    dump statistics at a set interval to stdout. This is an integer
    representing a time in seconds.  Set this to 0 to disable.  This
    information will be dumped upon shutdown.

hash 1 - pick a hashing method

   1 - hash by byte
   2 - hash by integer ( faster, not as much of a chance to become diverse)

   The hash table has a pseudorandom salt picked to make algorithmic
   complexity attacks much more difficult

Example configuration:

preprocessor flow: stats_interval 0 hash 2