Snort mailing list archives
RE: [Off topic] Traffic analysis
From: Richard Bejtlich <richard_bejtlich () yahoo com>
Date: Fri, 5 Dec 2003 18:20:02 -0800 (PST)
Erwin, I forgot to mention two other ways to collect session data: 4. Tcptrace (http://irg.cs.ohiou.edu/software/tcptrace) may be built with packet analysis in mind, but it also provides session data. 5. Snort's stream4 preprocessor can flush session stats periodically if told via "keepstats". The following logs session data to the file ssn_logs: preprocessor stream4: detect_scans, disable_evasion_alerts, keepstats db /nsm/snort/ssn_logs The keepstats output isn't intended for direct human consumption, but it can be parsed to provide more readable output. We use this method for session data in the Sguil project (http://sguil.sf.net). Argus, SANCP, tcptrace, and Snort keepstats can all be run against pcap traces. I'm not sure if the NetFlow tools do this. Sincerely, Richard http://taosecurity.com __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [Off topic] Traffic analysis Erwin Van de Velde (Dec 05)
- <Possible follow-ups>
- RE: [Off topic] Traffic analysis Richard Bejtlich (Dec 05)
- RE: [Off topic] Traffic analysis Richard Bejtlich (Dec 05)