[Snort-devel] Portscan2 suggestion

Chris Green cmg at ...402...
Mon Oct 7 09:08:10 EDT 2002


"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:

> Pattern matching in a database is resource intensive, and for people
> wanting to just watch for portscans, or to just list out all portscans
> and watch them in real-time, it makes it much more dificiult. 

In database stuff, just looking for a sid/gid is not pattern matching.

> I'd say for the vast majority of people using snort what you say
> works perfectly, but for those with massive amounts of data being
> collected (likely some of sourcefire's customers even) this could be
> something very useful

We have a much different set of loaders decoupled from snort.  The
output systems however will have to grow and let us do more cool
stuff(tm).

>
> So, what kind of ideas are you all passing around for the output system?

Lots of things that we know well enough to not commit to publically
until they are done :^).  Mainly just extending what an output record
can provide.
-- 
Chris Green <cmg at ...402...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-devel mailing list