[Snort-devel] Snort preprocessor to log flows

fhmiv at ...512... fhmiv at ...512...
Thu Oct 18 08:11:14 EDT 2001


Thanks for the replies on this.

On Wednesday, October 17, 2001, at 04:01 PM, Chris Green wrote:

> similar to ipaudit? http://ipaudit.sourceforge.net

Ipaudit is more of a one-shot tool. Its usage mode is to leave it 
running for either a specific number of packets, or until you terminate 
it with a signal. I want to track the flows continuously, and log them 
every time interval.


> I think stream4 is doing stats somewhat similar these days too

I'll have a look at stream4 and see if it can be persuaded to do what I 
want.


> Post the source somewhere and I'll take a look at it ( though that
> doesn't get you any closer to a CVS check in ) but I do find these
> type of programs interesting ( almost wrote one until ipaudit came
> along ).

Source is here: 
http://home.earthlink.net/~fhmiv/snort_flow_logger.tar.gz.


On Thursday, October 18, 2001, at 03:09 AM, Borja Marcos wrote:
> http://www.qosient.com/argus

Argus looks very versatile. Its notion of flows are a superset of what I 
need. It would be possible, though inconvenient, to use its Flow and 
Model definitions to get the behavior I want. However, because you can't 
specify ports by ranges, I am left with either writing a very large and 
complex Flow Modeler Policy Configuration, or losing  the notion of 
server and client, which in this case is more important to me than 
source and destination.


Thanks for the suggestions. If you can think of ways I might do this 
more easily than with Snort, I would definitely like to hear about them.

Frank
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 1648 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20011018/40c0241d/attachment.bin>


More information about the Snort-devel mailing list