[Snort-sigs] Behavioral-based detection

Matt Kettler mkettler at ...189...
Mon Nov 24 08:04:05 EST 2003


At 09:57 AM 11/22/2003, you wrote:
>As I can create rules which will allow to raise alarm at the certain
>behaviour of a data stream (high amount of inbound/outbound data; small but
>frequent amount of inbound/outbound data; requests/responses are sent too
>frequently or are sent on a curious static interval; one "user" requests a
>small quantity of external resources too frequently)

Assuming you meant this to be a question (you worded it as a statement of 
fact).

Probably not.

Snort is really designed to detect a pattern of some sort in a single 
packet or tcp stream. Snort rules are generally do not handle things like 
time, counting, correlation, etc very well. Some limited behaviors like 
this can be made using the tagging feature, but I've never done it myself.





More information about the Snort-sigs mailing list