[Snort-sigs] Behavioral-based detection
mkettler at ...189...
Mon Nov 24 08:04:05 EST 2003
At 09:57 AM 11/22/2003, you wrote:
>As I can create rules which will allow to raise alarm at the certain
>behaviour of a data stream (high amount of inbound/outbound data; small but
>frequent amount of inbound/outbound data; requests/responses are sent too
>frequently or are sent on a curious static interval; one "user" requests a
>small quantity of external resources too frequently)
Assuming you meant this to be a question (you worded it as a statement of
Snort is really designed to detect a pattern of some sort in a single
packet or tcp stream. Snort rules are generally do not handle things like
time, counting, correlation, etc very well. Some limited behaviors like
this can be made using the tagging feature, but I've never done it myself.
More information about the Snort-sigs