Snort mailing list archives
Re: Grouping connections
From: Ulisses Araújo Costa <ulissesaraujocosta () gmail com>
Date: Mon, 27 Apr 2009 15:08:22 +0100
One session have many connection. And one connection have many packets... I think the problem is that don't explain what connection means to me... 2009/4/24 Ulisses Araújo Costa <ulissesaraujocosta () gmail com>
I want identify connection not sessions. I want more detail: connections... 2009/4/24 Joel Esler <jesler () sourcefire com> A session is made up of connections. Now I am throughly confused aboutwhat you are asking for. J 2009/4/24 Ulisses Araújo Costa <ulissesaraujocosta () gmail com> Joel Esler, with 'tag:session' I just can identify the session. I want beable to identify connections. 2009/4/23 Joel Esler <jesler () sourcefire com> The fact that the alert took place tells you that flow X <> Y happened.J 2009/4/22 Ulisses Araújo Costa <ulissesaraujocosta () gmail com>Hi Leon, what I want is to record that the request X have the response Y. What I explained, is that probably the request X is just a packet, but the response Y is 4 packets. The only thing I want to know is that the flow X <> Y happened. 2009/4/22 Leon Ward <seclists () rm-rf co uk> Hi.Sorry I don't think I understand what you are asking. Can you share the goal you are trying to achieve rather than the method you are trying to resolve it by?The idea is make Snort just consider that as 2 states (me making therequest and google sending the response). The problem is I want to make that to connections, not sessions. If you need to differentiate between data in each flow direction, take a look at "flow". -Leon 2009/4/22 Ulisses Araújo Costa <ulissesaraujocosta () gmail com>Joel, that's what I said: " The problem is I want to make that to connections, not sessions. If it was sessions I can use the 'flag' keyword. " But I *don't* want sessions. 2009/4/22 Joel Esler <jesler () sourcefire com>Take a look at the tag keyword. http://www.snort.org/docs/snort_htmanuals/htmanual_284/node373.html The flags keyword simply will trigger on the presence of certain TCP flags set in the packet. This is probably not what you want. J 2009/4/22 Ulisses Araújo Costa <ulissesaraujocosta () gmail com>Hello, I'm using Snort in a project. I'm wondering if with Snort I can group packets from the same connection. For example: if I request google.com, I just send one packet but the response came in (imagine) 4 packets. The idea is make Snort just consider that as 2 states (me making the request and google sending the response). The problem is I want to make that to connections, not sessions. If it was sessions I can use the 'flag' keyword. Now I'm seeing if the way is using preprocessors, in this case the HTTP preprocessor. Can you help me? Best Regards, -- Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/> ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974 | http://twitter.com/joelesler-- Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/> ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/>-- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974 | http://twitter.com/joelesler-- Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/>-- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974 | http://twitter.com/joelesler-- Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/>
-- Ulisses Costa - http://caos.di.uminho.pt/~ulisses/
------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Grouping connections, (continued)
- Re: Grouping connections Joel Esler (Apr 22)
- Re: Grouping connections Ulisses Araújo Costa (Apr 22)
- Re: Grouping connections Joel Esler (Apr 22)
- Re: Grouping connections Leon Ward (Apr 22)
- Re: Grouping connections Ulisses Araújo Costa (Apr 22)
- Re: Grouping connections Nerijus Krukauskas (Apr 22)
- Re: Grouping connections Joel Esler (Apr 23)
- ****SPAM(5.1)**** Re: Grouping connections Ulisses Araújo Costa (Apr 24)
- ****SPAM(5.3)**** Re: Grouping connections Joel Esler (Apr 24)
- Re: Grouping connections Ulisses Araújo Costa (Apr 24)
- Re: Grouping connections Ulisses Araújo Costa (Apr 27)
- Re: Grouping connections Joel Esler (Apr 27)
- Re: Grouping connections Ulisses Araújo Costa (Apr 27)
- Re: Grouping connections Joel Esler (Apr 27)
- Re: Grouping connections Ulisses Araújo Costa (Apr 27)
- Re: Grouping connections Richard Bejtlich (Apr 27)