readme.flow

来自「This is the snapshot of Snot Latest Rule」· FLOW 代码 · 共 33 行

The Flow tracking module is meant to start unifying the state keeping
mechanisms of snort into a single place. Right now, only a portscan
detector is implemented but in the long term,  many of the stateful
subsystems of snort will be migrated over to becoming flow plugins.

An IPv4 flow is defined as a unique(IPPROTO,SIP,DIP,DPORT,SPORT)

     the DPORT and SPORT are 0 unless the protocol is TCP or UDP

memcap
   number of bytes to allocate

rows
   number of rows for the flow hash table

stats_interval

    dump statistics at a set interval to stdout. This is an integer
    representing a time in seconds.  Set this to 0 to disable.  This
    information will be dumped upon shutdown.

hash 1 - pick a hashing method

   1 - hash by byte
   2 - hash by integer ( faster, not as much of a chance to become diverse)

   The hash table has a pseudorandom salt picked to make algorithmic
   complexity attacks much more difficult

Example configuration:

preprocessor flow: stats_interval 0 hash 2