[Snort-devel] Question regarding snort statistics

Efthymia Tsamoura etsamour at ...3288...
Fri May 4 06:45:35 EDT 2012


Hi all,

My name is Efi and Im a PhD student. Im writing this email, since I  
want to find out how to monitor for each rule and for each input  
packet which of the rule's predicates were satisfied and which not for  
the specific packet that is currently being processed. For example,  
given the rule

alert tcp 1.1.1.1 any -> 2.2.2.2 80 (content:"BOB"; gid:1000001;  
sid:1; rev:1;),

i want for each packet statistics of the form:

Packet 1 satisfied Protocol=tcp and srcIp = 1.1.1.1
and did not satisfy destIp = 2.2.2.2 and destport = 80 and content = "BOB"

What are the modifications that need to be performed to the src to get  
this info? For example, which functions, data structures hold this  
info ...

Best Regards,
Efi






More information about the Snort-devel mailing list