Configuration for UDP session tracking. Since there is no target based binding, there should be only one occurrence of the UDP configuration.
preprocessor stream5_udp: [timeout <number secs>], [ignore_any_rules]
| Option | Description |
|---|---|
| timeout <num seconds> | Session timeout. The default is "30", the minimum is "1", and the maximum is "86400" (approximately 1 day). |
| ignore_any_rules | Don't process any -> any (ports) rules for UDP that attempt to match payload if there are no port specific rules for the src or destination port. Rules that have flow or flowbits will never be ignored. This is a performance improvement and may result in missed attacks. Using this does not affect rules that look at protocol headers, only those with content, PCRE, or byte test options. The default is "off". |
|
Note:
With the ignore_any_rules option, a UDP rule will be ignored except when there is another port specific rule that may be applied to the traffic. For example, if a UDP rule specifies destination port 53, the 'ignored' any -> any rule will be applied to traffic to/from port 53, but NOT to any other source or destination port. A list of rule SIDs affected by this option are printed at Snort's startup.
|
|
Note:
With the ignore_any_rules option, if a UDP rule that uses any -> any ports includes either flow or flowbits, the ignore_any_rules option is effectively pointless. Because of the potential impact of disabling a flowbits rule, the ignore_any_rules option will be disabled in this case.
|