[Snort-users] matching composite patterns
roesch at ...421...
Mon Nov 6 18:00:56 EST 2000
This is a planned feature for a future version (1.8?). Snort can't do
it right now, but we're planning on getting to work on it after we get
the next version out the door. Here's a little sneak preview of what
it's probably going to look like:
composite (msg: "root telnet access"; action: tag; within: 20; )
component tcp $HOME_NET 23 -> $EXTERNAL any (content: "login\:";)
component tcp $EXTERNAL any -> $HOME_NET 23 (content: "root";)
Look like what you might want?
Jacob Martinson wrote:
> is there a way to do composite/nonatomic pattern matching? for instance, i
> want to alert if someone is ping or udp scanning one of my nets, or if one
> of our networks is getting hit with a udp dos . . . say i want to alert if
> there is more than 2000 udp packets per second with destination port above
> 1024 and destination address on the same subnet . . . is it possible for
> snort (or a snort plugin) to do this kind of thing or is snort strictly
> limited to atomic, packet by packet matching? if this is not possible with
> snort, is there another open source tool that can do this (and run on *bsd)?
> tia . . . jacob
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
More information about the Snort-users