Snort mailing list archives

Re: Rules across tcp headers & http headers/payload

From: "lists () packetmail net" <lists () packetmail net>
Date: Tue, 5 Mar 2013 09:25:23 -0600

On 03/05/2013 04:23 AM, Andy Richards wrote:

May something like network behavioural analysis would be the way to go with Snort feeding packets and alerts into 
such a system maybe via the unix_alertsock to identify such behaviour?


Maybe Netflow or some custom libpcap-based solution would probably work.  I've
done similar, usually tossing output from tcpdump across a pipe to Perl.

Best wishes and good luck.  Snort's really good at L7 but for L3/L4 flows like
you've described with rule chaining isn't really performance friendly for the
engine as I understand your use-case to be.


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Rules across tcp headers & http headers/payload Andy Richards (Mar 04)
- Re: Rules across tcp headers & http headers/payload waldo kitty (Mar 04)
- Re: Rules across tcp headers & http headers/payload lists () packetmail net (Mar 04)
  - Re: Rules across tcp headers & http headers/payload Andy Richards (Mar 05)
    - Re: Rules across tcp headers & http headers/payload lists () packetmail net (Mar 05)