[Snort-devel] Question regarding snort statistics

Russ Combs rcombs at ...402...
Fri May 4 10:38:37 EDT 2012


On Fri, May 4, 2012 at 9:49 AM, Joel Esler <jesler at ...402...> wrote:

> The Snort code is available at www.snort.org.  I suggest you take a look
> at it and see how you can modify it to fit your purpose.
>

If you look for DETECTION_OPTION_MATCH and DETECTION_OPTION_NO_MATCH you
will find what you need.

J
>
> On May 4, 2012, at 6:45 AM, Efthymia Tsamoura wrote:
>
> > Hi all,
> >
> > My name is Efi and Im a PhD student. Im writing this email, since I
> > want to find out how to monitor for each rule and for each input
> > packet which of the rule's predicates were satisfied and which not for
> > the specific packet that is currently being processed. For example,
> > given the rule
> >
> > alert tcp 1.1.1.1 any -> 2.2.2.2 80 (content:"BOB"; gid:1000001;
> > sid:1; rev:1;),
> >
> > i want for each packet statistics of the form:
> >
> > Packet 1 satisfied Protocol=tcp and srcIp = 1.1.1.1
> > and did not satisfy destIp = 2.2.2.2 and destport = 80 and content =
> "BOB"
> >
> > What are the modifications that need to be performed to the src to get
> > this info? For example, which functions, data structures hold this
> > info ...
> >
> > Best Regards,
> > Efi
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120504/8574d88c/attachment.html>


More information about the Snort-devel mailing list