[Snort-devel] plugin idea

Sergey Lyubka devnull at ...2232...
Mon Apr 5 02:51:21 EDT 2004


You got me wrong I think.
I would like to see only those flows that triggered some alerts.
There is no need to store 'legitimate' flows.

something like ethereal's 'follow TCP stream' thing,
but only for those matching some rules.

You do need an IDS, i.e. a detection engine, to do that.

On Fri, Apr 02, 2004 at 11:06:42AM +0200, Poppi, Sandro wrote:
> 
> Well, sounds good, but then the only way to achieve this would be that the
> plugin has to get every packet according to the rule WITHOUT looking at the
> payload, i.e. only src/dst ip/port. That would decrease performance, and on
> the other hand you wouldn't need an IDS, you can do this with tcpdump also,
> or use snort with a rule using the tag keyword like
> 
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP
> Traffic";flags:S;tag:session,60,seconds)
> 
> Just my 2 cents.
> 
> Regards,
> Sandro




More information about the Snort-devel mailing list