Snort mailing list archives
Re: The lack of a "client" and "server" definition in snort...
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 7 Jun 2001 08:07:51 +1200
On Tue, Jun 05, 2001 at 08:16:27AM -0600, Jed Haile wrote:
What you might be alerting off is the actual HTML being sent from server:80 -> client:2301.
I know that - I'm sorry if my Email wasn't explicit enough about that. What I want to know is if snort can DIFFERENTIATE between client and server packets.
So, is such "stateful" matches possible? Is that what the stream2 preprocessor will eventually be used for? At the moment I assume it "only" (trying not to offend anyone ;-) bundles lots of packets within a TCP session to make them appear as one really large packet WRT rule matches? I don't know if such "handedness" actually exists in the rules, but a combination of "handedness" plus stream2 recording which host-port pair instigated a session would probably do what I'm describing?_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Cheers Jason Haar Unix/Special Projects, Trimble NZ Phone: +64 3 9635 377 Fax: +64 3 9635 417 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- The lack of a "client" and "server" definition in snort... Jason Haar (Jun 05)
- Re: The lack of a "client" and "server" definition in snort... Jed Haile (Jun 05)
- Re: The lack of a "client" and "server" definition in snort... Jason Haar (Jun 06)
- Re: The lack of a "client" and "server" definition in snort... Jed Haile (Jun 05)