rule over tcp stream

[Shoufu Luo <luoshoufu () gmail com>]

Hi guys,

I am searching for the guide to experiment a detector based on several
initial packets of a TCP stream (after TCP established) for snort. Here is
what I need

Specify a rule which requests a notification of a TCP stream that has been
established and receives all packets (preferable tcp segment only if
possible) associated with a particular tcp stream dual-direction, then
after a few packets, my detector may raise an alert based on the rule
specified. and what if against several signatures?)

PS, it does not have to assemble all packets for each stream as long as
each packets can associated with a particular stream.

I looked into preprocessor, but not sure whether that will works. Any
suggestion?


​Sean​


​​
---
There is no such a thing called randomness.

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://pubads.g.doubleclick.net/gampad/clk?id=1444514421&iu=/41014381

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!