Snort mailing list archives
Re: Specific rule for bandwidth
From: Gabriel Corre <gabriel.corre () fr clara net>
Date: Tue, 15 Sep 2015 15:31:00 +0000
To be more precise, is it possible to fire an alert when a certain amount of data is transfered in a specific time interval? -----Message d'origine----- De : Gabriel Corre [mailto:gabriel.corre () fr clara net] Envoyé : mardi 15 septembre 2015 17:14 À : Davis McPherson (davmcphe) <davmcphe () cisco com>; snort-users () lists sourceforge net Objet : Re: [Snort-users] Specific rule for bandwidth Ok, then it also means I cannot control data transfer in real time with stream_size, right? Do you know if there is another way? -----Message d'origine----- De : Davis McPherson (davmcphe) [mailto:davmcphe () cisco com] Envoyé : mardi 15 septembre 2015 16:47 À : snort-users () lists sourceforge net Objet : Re: [Snort-users] Specific rule for bandwidth The stream size option is evaluated on packets when a rule is evaluated. The current stream size is computed by subtracting the current 'next seq' from the ISN (or vice-versa to handle wrapping). The value is computed for the server and client directions and then comparison is done for the directions specified by the rule against the threshold value in the rule using the comparison operator defined by the rule. There is no reset if the rule is triggered, so the stream size is a count of the number of bytes observed on the stream. -davis mcpherson -------- Forwarded Message -------- Subject: [Snort-users] Specific rule for bandwidth Date: Tue, 15 Sep 2015 07:24:11 +0000 From: Gabriel Corre <gabriel.corre () fr clara net><mailto:gabriel.corre () fr clara net> To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> <snort-users () lists sourceforge net><mailto:snort-users () lists sourceforge net> Hello, I would like to use "stream_size" as a bandwidth controller. Thus I created this rule to test its functionality: alert tcp EXTERNAL_NET any -> HOME_NET any (msg:"WARNING! Session bandwidth > 8 bytes"; stream_size:both,>,8"; sid:1000000001;) I would like to know if "stream_size" is reset when the alert is triggered or it still count the number of bytes observed? The doc says : "The stream size keyword allows a rule to match traffic according to the number of bytes observed, as determined by the TCP sequence numbers." It doesn't pinpoint this aspect and I'm not about my bandwidth test. Regards, -- Gabriel Corré Élève Ingénieur Sécurité & Réseaux, Ops - Core Infrastructure ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Specific rule for bandwidth Gabriel Corre (Sep 15)
- Message not available
- Re: Specific rule for bandwidth Davis McPherson (davmcphe) (Sep 15)
- Re: Specific rule for bandwidth Gabriel Corre (Sep 15)
- Re: Specific rule for bandwidth Gabriel Corre (Sep 15)
- Re: Specific rule for bandwidth Gabriel Corre (Sep 16)
- Re: Specific rule for bandwidth Davis McPherson (davmcphe) (Sep 15)
- Message not available