[Snort-devel] rule over tcp stream

Shoufu Luo luoshoufu at ...2499...
Thu Jun 16 10:02:33 EDT 2016


Hi guys,

I am searching for the guide to experiment a detector based on several
initial packets of a TCP stream (after TCP established) for snort. Here is
what I need

Specify a rule which requests a notification of a TCP stream that has been
established and receives all packets (preferable tcp segment only if
possible) associated with a particular tcp stream dual-direction, then
after a few packets, my detector may raise an alert based on the rule
specified. and what if against several signatures?)

PS, it does not have to assemble all packets for each stream as long as
each packets can associated with a particular stream.

I looked into preprocessor, but not sure whether that will works. Any
suggestion?


​Sean​


​​
---
There is no such a thing called randomness.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160616/3f0d7a27/attachment.html>


More information about the Snort-devel mailing list