Snort mailing list archives

Re: Grouping connections

From: Ulisses Araújo Costa <ulissesaraujocosta () gmail com>
Date: Wed, 22 Apr 2009 18:36:53 +0100

Hi Leon,

what I want is to record that the request X have the response Y. What I
explained, is that probably the request X is just a packet, but the response
Y is 4 packets. The only thing I want to know is that the flow X <> Y
happened.

2009/4/22 Leon Ward <seclists () rm-rf co uk>

Hi.

Sorry I don't think I understand what you are asking. Can you share the
goal you are trying to achieve rather than the method you are trying to
resolve it by?

The idea is make Snort just consider that as 2 states (me making the

request and google sending the response). The problem is I want to make that
to connections, not sessions.

If you need to differentiate between data in each flow direction, take a
look at "flow".

-Leon




2009/4/22 Ulisses Araújo Costa <ulissesaraujocosta () gmail com>

Joel,

that's what I said:

"
The problem is I want to make that to connections, not sessions.

If it was sessions I can use the 'flag' keyword.
"

But I *don't* want sessions.

2009/4/22 Joel Esler <jesler () sourcefire com>

Take a look at the tag keyword.
http://www.snort.org/docs/snort_htmanuals/htmanual_284/node373.html

The flags keyword simply will trigger on the presence of certain TCP
flags set in the packet.  This is probably not what you want.

J

2009/4/22 Ulisses Araújo Costa <ulissesaraujocosta () gmail com>

 Hello,

I'm using Snort in a project. I'm wondering if with Snort I can group
packets from the same connection. For example: if I request google.com,
I just send one packet but the response came in (imagine) 4 packets. The
idea is make Snort just consider that as 2 states (me making the request and
google sending the response). The problem is I want to make that to
connections, not sessions.

If it was sessions I can use the 'flag' keyword. Now I'm seeing if the
way is using preprocessors, in this case the HTTP preprocessor.

Can you help me?

Best Regards,

--
Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/>


------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




--
joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974 |
http://twitter.com/joelesler




--
Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/>


------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Ulisses Costa - http://caos.di.uminho.pt/~ulisses/

------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Grouping connections Ulisses Araújo Costa (Apr 22)
- Re: Grouping connections Joel Esler (Apr 22)
  - Re: Grouping connections Ulisses Araújo Costa (Apr 22)
    - Re: Grouping connections Ulisses Araújo Costa (Apr 22)
    - Re: Grouping connections Joel Esler (Apr 22)
    - Re: Grouping connections Ulisses Araújo Costa (Apr 22)
    - Re: Grouping connections Joel Esler (Apr 22)
    - Re: Grouping connections Ulisses Araújo Costa (Apr 22)
    - Re: Grouping connections Joel Esler (Apr 22)
    - Re: Grouping connections Leon Ward (Apr 22)
    - Re: Grouping connections Ulisses Araújo Costa (Apr 22)
    - Re: Grouping connections Nerijus Krukauskas (Apr 22)
    - Re: Grouping connections Joel Esler (Apr 23)
    - ****SPAM(5.1)**** Re: Grouping connections Ulisses Araújo Costa (Apr 24)
    - ****SPAM(5.3)**** Re: Grouping connections Joel Esler (Apr 24)
    - Re: Grouping connections Ulisses Araújo Costa (Apr 24)
    - Re: Grouping connections Ulisses Araújo Costa (Apr 27)
    - Re: Grouping connections Joel Esler (Apr 27)
    - Re: Grouping connections Ulisses Araújo Costa (Apr 27)
    - Re: Grouping connections Joel Esler (Apr 27)
    - Re: Grouping connections Ulisses Araújo Costa (Apr 27)

(Thread continues...)