Snort mailing list archives
Re: Compare MawiLab-Snort
From: DFIRob via Snort-users <snort-users () lists snort org>
Date: Sat, 3 Mar 2018 16:22:22 +0100
So the answer would be no, not with snort alone. Meta rules like this are best detected using a SIEM of some sorts. I'd also be interested in your reasoning that that condition would detect a SYN scan. --rob' On Sat, Mar 3, 2018 at 1:39 AM, <rugg.vale () email it> wrote:
Hi and thank for answers to my previous question. i would like to know if is possible to do with Snort the same analysis that do MawiLab, that is, the Mawilab with a pcap file with backbone traffic detect a syn scan with this condition: (nb_src_addr < 5) && (nb_dst_addr >= 20) && (nb_packet_per_second >= 5) && (nb_tcp_over_nb_packets >= 0.8) && (nb_ack_over_nb_tcp_packets < 0.2) && (nb_syn_over_nb_tcp_packets >= 0.8) && (nb_fin_over_nb_tcp_packets < 0.2) Can i do the same condition with Snort rules or with Sort preprocessor or with a combination of rule and preprocessors? thank you for patience best regard _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Compare MawiLab-Snort rugg . vale (Mar 02)
- Re: Compare MawiLab-Snort DFIRob via Snort-users (Mar 03)
- <Possible follow-ups>
- Compare MawiLab-Snort rugg . vale (Mar 03)