[Snort-devel] Question regarding snort statistics

Joel Esler jesler at ...402...
Fri May 4 09:49:06 EDT 2012


The Snort code is available at www.snort.org.  I suggest you take a look at it and see how you can modify it to fit your purpose.

J

On May 4, 2012, at 6:45 AM, Efthymia Tsamoura wrote:

> Hi all,
> 
> My name is Efi and Im a PhD student. Im writing this email, since I  
> want to find out how to monitor for each rule and for each input  
> packet which of the rule's predicates were satisfied and which not for  
> the specific packet that is currently being processed. For example,  
> given the rule
> 
> alert tcp 1.1.1.1 any -> 2.2.2.2 80 (content:"BOB"; gid:1000001;  
> sid:1; rev:1;),
> 
> i want for each packet statistics of the form:
> 
> Packet 1 satisfied Protocol=tcp and srcIp = 1.1.1.1
> and did not satisfy destIp = 2.2.2.2 and destport = 80 and content = "BOB"
> 
> What are the modifications that need to be performed to the src to get  
> this info? For example, which functions, data structures hold this  
> info ...
> 
> Best Regards,
> Efi
> 
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-devel mailing list