Snort mailing list archives
Re: Rules across tcp headers & http headers/payload
From: "lists () packetmail net" <lists () packetmail net>
Date: Tue, 5 Mar 2013 09:25:23 -0600
On 03/05/2013 04:23 AM, Andy Richards wrote:
May something like network behavioural analysis would be the way to go with Snort feeding packets and alerts into such a system maybe via the unix_alertsock to identify such behaviour?
Maybe Netflow or some custom libpcap-based solution would probably work. I've done similar, usually tossing output from tcpdump across a pipe to Perl. Best wishes and good luck. Snort's really good at L7 but for L3/L4 flows like you've described with rule chaining isn't really performance friendly for the engine as I understand your use-case to be. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rules across tcp headers & http headers/payload Andy Richards (Mar 04)
- Re: Rules across tcp headers & http headers/payload waldo kitty (Mar 04)
- Re: Rules across tcp headers & http headers/payload lists () packetmail net (Mar 04)
- Re: Rules across tcp headers & http headers/payload Andy Richards (Mar 05)
- Re: Rules across tcp headers & http headers/payload lists () packetmail net (Mar 05)
- Re: Rules across tcp headers & http headers/payload Andy Richards (Mar 05)