[Snort-devel] stream4 preprocessor

Bamm Visscher bamm at ...101...
Thu Apr 29 10:28:06 EDT 2004


Check out sancp [1]. We have support for it and stream4 keep_stats in sguil [2]. I prefer sancp because it can log TCP/UDP/ICMP traffic and I can create generic filters for things that would quickly fill my DB (like outbound HTTP).

Personally, I don't think you want snort to do everything (single point of failure can be bad).

Bammkkkk

[1] http://www.metre.net/sancp.html
[2] http://sguil.sf.net

On Thu, Apr 29, 2004 at 12:32:42PM -0700, Glenn MacGregor wrote:
> Hi All,
> 
> Right now I am using snort for just intrusion detection. I saw that I can setup 
> the stream4 preprocessor to write all tcp connections to a unified file upon 
> restart. This is a great feature! Unfortunatly I need a bit more, I would like a 
> unified format file of all traffic (TCP, UDP and ICMP). I can't find anything 
> within snort that will do this.
> 
> So I thinking about writing a preprocessor (or whatever) to collect all the 
> stats. Basically a copy of the stream4 that accepts all types of traffic and 
> does nothing else but write that file.
> 
> Did I miss something, is there something in snort that will do this for me? If 
> not can anyone suggest a starting point on writing a module 
> (preprocessor/input-plugin/output-plugin, whichever is appropriate) to do this.
> 
>   Thanks
> 
>      Glenn  
> 
> Glenn MacGregor
> HighStreet Networks




More information about the Snort-devel mailing list