[netflow-tools] softflowd timeouts

Damien Miller djm at mindrot.org
Mon May 2 22:55:14 EST 2005


Michael W. Lucas wrote:
> I'm looking to adjust the timeouts of softflowd so that I can get
> "closer to real-time" detection of port scans, etc.  99.99% of my
> flows on this web server farm are short-lived, so it appears that the
> TCP timeout of 3600s is a little high.
> 
> What sort of negative effects could I expect if I set the TCP timeout
> to, say, 300s?  Surely something drove setting the TCP timeout to 1
> hour?

The 1 hour timeout is for established TCP connections and should be long
so it doesn't time out quiescent sessions (e.g. long lived FTP or ssh
sessions)

For portscan detection, you should probably adjust the TCP FIN and RST
timeouts. I should add a timeout for "unanswered" connections, which
would be useful for hosts that are packet filtered - this is already
in the TODO.

-d




More information about the netflow-tools mailing list