[Snort-devel] Portscan2 suggestion

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Mon Oct 7 10:53:04 EDT 2002


Where is GID?  Was speaking more towards being able to show all matches
for a specific signature by matching for the unique sig_id created.

Secrets? In an open source community..... Your communist leaders (RMS)
may come and take you away.

-----Original Message-----
From: Chris Green [mailto:cmg at ...402...] 
Sent: Monday, October 07, 2002 11:07 AM
To: Kreimendahl, Chad J
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Portscan2 suggestion


"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:

> Pattern matching in a database is resource intensive, and for people
> wanting to just watch for portscans, or to just list out all portscans
> and watch them in real-time, it makes it much more dificiult. 

In database stuff, just looking for a sid/gid is not pattern matching.

> I'd say for the vast majority of people using snort what you say
> works perfectly, but for those with massive amounts of data being
> collected (likely some of sourcefire's customers even) this could be
> something very useful

We have a much different set of loaders decoupled from snort.  The
output systems however will have to grow and let us do more cool
stuff(tm).

>
> So, what kind of ideas are you all passing around for the output
system?

Lots of things that we know well enough to not commit to publically
until they are done :^).  Mainly just extending what an output record
can provide.
-- 
Chris Green <cmg at ...402...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-devel mailing list