Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Grouping connections

From: Ulisses Araújo Costa <ulissesaraujocosta () gmail com>
Date: Mon, 27 Apr 2009 15:08:22 +0100
One session have many connection. And one connection have many packets... I
think the problem is that  don't explain what connection means to me...

2009/4/24 Ulisses Araújo Costa <ulissesaraujocosta () gmail com>


I want identify connection not sessions. I want more detail: connections...

2009/4/24 Joel Esler <jesler () sourcefire com>

A session is made up of connections.  Now I am throughly confused about

what you are asking for.
J

2009/4/24 Ulisses Araújo Costa <ulissesaraujocosta () gmail com>

Joel Esler, with 'tag:session' I just can identify the session. I want be

able to identify connections.

2009/4/23 Joel Esler <jesler () sourcefire com>

The fact that the alert took place tells you that flow X <> Y happened.


J

2009/4/22 Ulisses Araújo Costa <ulissesaraujocosta () gmail com>


Hi Leon,

what I want is to record that the request X have the response Y. What I
explained, is that probably the request X is just a packet, but the response
Y is 4 packets. The only thing I want to know is that the flow X <> Y
happened.

2009/4/22 Leon Ward <seclists () rm-rf co uk>

Hi.


Sorry I don't think I understand what you are asking. Can you share
the goal you are trying to achieve rather than the method you are trying to
resolve it by?


The idea is make Snort just consider that as 2 states (me making the

request and google sending the response). The problem is I want to make that
to connections, not sessions.

If you need to differentiate between data in each flow direction, take
a look at "flow".

-Leon




2009/4/22 Ulisses Araújo Costa <ulissesaraujocosta () gmail com>


Joel,

that's what I said:

"
The problem is I want to make that to connections, not sessions.

If it was sessions I can use the 'flag' keyword.
"

But I *don't* want sessions.

2009/4/22 Joel Esler <jesler () sourcefire com>


Take a look at the tag keyword.
http://www.snort.org/docs/snort_htmanuals/htmanual_284/node373.html

The flags keyword simply will trigger on the presence of certain TCP
flags set in the packet.  This is probably not what you want.

J

2009/4/22 Ulisses Araújo Costa <ulissesaraujocosta () gmail com>


 Hello,

I'm using Snort in a project. I'm wondering if with Snort I can
group packets from the same connection. For example: if I request
google.com, I just send one packet but the response came in
(imagine) 4 packets. The idea is make Snort just consider that as 2 states
(me making the request and google sending the response). The problem is I
want to make that to connections, not sessions.

If it was sessions I can use the 'flag' keyword. Now I'm seeing if
the way is using preprocessors, in this case the HTTP preprocessor.

Can you help me?

Best Regards,

--
Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/>


------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





--
joel esler | Sourcefire | gtalk: jesler () sourcefire com |
302-223-5974 | http://twitter.com/joelesler





--
Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/>


------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







--
Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/>





--
joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974 |
http://twitter.com/joelesler





--
Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/>





--
joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974 |
http://twitter.com/joelesler





--
Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/>





-- 
Ulisses Costa - http://caos.di.uminho.pt/~ulisses/

------------------------------------------------------------------------------
Crystal Reports &#45; New Free Runtime and 30 Day Trial
Check out the new simplified licensign option that enables unlimited
royalty&#45;free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: