AW: [Snort-devel] plugin idea

Poppi, Sandro Sandro.Poppi at ...1204...
Fri Apr 2 01:15:13 EST 2004


Well, sounds good, but then the only way to achieve this would be that the
plugin has to get every packet according to the rule WITHOUT looking at the
payload, i.e. only src/dst ip/port. That would decrease performance, and on
the other hand you wouldn't need an IDS, you can do this with tcpdump also,
or use snort with a rule using the tag keyword like

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP
Traffic";flags:S;tag:session,60,seconds)

Just my 2 cents.

Regards,
Sandro
> 
> 
> What do you think about this:
> making a plugin that stores all, say, tcp session from the 
> very first packet
> to the very last for some rules.
> example: you have a match, say, in some smtp rule. The 
> beginning of the
> stream with smtp headers already lost, as well as lost all subsequent
> packets. So you mark that smtp rule with some keyword, and when it is
> matched, full stream is saved say in pcap file for further 
> investigation.
> 
> On Thu, Apr 01, 2004 at 08:42:27PM +0200, Piotr Kowalczyk wrote:
> > Hello World\n
> > University as fast as possible), please. 
> > I'd be _extremely_ grateful, 
> > and thank you in advance
> > 
> > 	Piotr Kowalczyk
> > 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list