Re: Compare MawiLab-Snort

[DFIRob via Snort-users <snort-users () lists snort org>]

So the answer would be no, not with snort alone. Meta rules like this are
best detected using a SIEM of some sorts. I'd also be interested in your
reasoning that that condition would detect a SYN scan.

--rob'

On Sat, Mar 3, 2018 at 1:39 AM, <rugg.vale () email it> wrote:

> Hi and thank for answers to my previous question. i would like to know if
> is possible to do with Snort the same analysis that do MawiLab, that is,
> the Mawilab with a pcap file with backbone traffic detect a syn scan with
> this condition: (nb_src_addr < 5) && (nb_dst_addr >= 20) &&
> (nb_packet_per_second >= 5) && (nb_tcp_over_nb_packets >= 0.8) &&
> (nb_ack_over_nb_tcp_packets < 0.2) && (nb_syn_over_nb_tcp_packets >= 0.8)
> && (nb_fin_over_nb_tcp_packets < 0.2) Can i do the same condition with
> Snort rules or with Sort preprocessor or with a combination of rule and
> preprocessors? thank you for patience best regard
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette