[Snort-devel] stream4 preprocessor
bamm at ...101...
Thu Apr 29 10:28:06 EDT 2004
Check out sancp . We have support for it and stream4 keep_stats in sguil . I prefer sancp because it can log TCP/UDP/ICMP traffic and I can create generic filters for things that would quickly fill my DB (like outbound HTTP).
Personally, I don't think you want snort to do everything (single point of failure can be bad).
On Thu, Apr 29, 2004 at 12:32:42PM -0700, Glenn MacGregor wrote:
> Hi All,
> Right now I am using snort for just intrusion detection. I saw that I can setup
> the stream4 preprocessor to write all tcp connections to a unified file upon
> restart. This is a great feature! Unfortunatly I need a bit more, I would like a
> unified format file of all traffic (TCP, UDP and ICMP). I can't find anything
> within snort that will do this.
> So I thinking about writing a preprocessor (or whatever) to collect all the
> stats. Basically a copy of the stream4 that accepts all types of traffic and
> does nothing else but write that file.
> Did I miss something, is there something in snort that will do this for me? If
> not can anyone suggest a starting point on writing a module
> (preprocessor/input-plugin/output-plugin, whichever is appropriate) to do this.
> Glenn MacGregor
> HighStreet Networks
More information about the Snort-devel