[Snort-users] matching composite patterns

Martin Roesch roesch at ...421...
Mon Nov 6 18:00:56 EST 2000


This is a planned feature for a future version (1.8?).  Snort can't do
it right now, but we're planning on getting to work on it after we get
the next version out the door.  Here's a little sneak preview of what
it's probably going to look like:

composite (msg: "root telnet access"; action: tag; within: 20; )
{
    component tcp $HOME_NET 23 -> $EXTERNAL any (content: "login\:";)
    component tcp $EXTERNAL any -> $HOME_NET 23 (content: "root";)
}

Look like what you might want?

    -Marty

Jacob Martinson wrote:
> 
> is there a way to do composite/nonatomic pattern matching?  for instance, i
> want to alert if someone is ping or udp scanning one of my nets, or if one
> of our networks is getting hit with a udp dos . . . say i want to alert if
> there is more than 2000 udp packets per second with destination port above
> 1024 and destination address on the same subnet . . . is it possible for
> snort (or a snort plugin) to do this kind of thing or is snort strictly
> limited to atomic, packet by packet matching?  if this is not possible with
> snort, is there another open source tool that can do this (and run on *bsd)?
> 
> tia . . . jacob
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users



More information about the Snort-users mailing list