[Snort-sigs] Rules across tcp headers & http headers/payload

lists at ...3397... lists at ...3397...
Tue Mar 5 10:25:23 EST 2013


On 03/05/2013 04:23 AM, Andy Richards wrote:
> May something like network behavioural analysis would be the way to go with Snort feeding packets and alerts into such a system maybe via the unix_alertsock to identify such behaviour?

Maybe Netflow or some custom libpcap-based solution would probably work.  I've
done similar, usually tossing output from tcpdump across a pipe to Perl.

Best wishes and good luck.  Snort's really good at L7 but for L3/L4 flows like
you've described with rule chaining isn't really performance friendly for the
engine as I understand your use-case to be.





More information about the Snort-sigs mailing list