[Snort-users] sizing a snort ids system?

Mike Andersen mike at ...207...
Tue Aug 15 11:35:15 EDT 2000


[Jed Pickel]
|
| I think you understand that having a timestamp in the iphdr table does
| not make sense when we add support for non-IP protocols.

*Blush* Here is a point that I've completely missed. :-)

Hmm...  is it then also possible to log data from protocols on a higher
level too?  Like protocol data from for example the ftp, http and telnet
(with friends)?  And is it of any interest?

| Would you say that the real issue here is that we need here is to find
| a word for the event table that does not cause misunderstanding? If
| so, do you have any suggestions?

Well, it's not the name of the table that is the issue, but where the
data is placed.  As you where saying another place in the mail:

| The whole purpose of the "event" table is to hold meta data that is
| not part of other data structures.

...and then the meta data is mixed up with data from the signatures.  I
understand why, but do not agree to the current solution. :-) What about
a 'meta' table for this purpose?


mike
-- 
Never test for an error condition you don't know how to handle.
                -- Steinbach





More information about the Snort-users mailing list