[Snort-users] matching composite patterns

Martin Roesch roesch at ...421...
Mon Nov 6 18:00:56 EST 2000

This is a planned feature for a future version (1.8?).  Snort can't do
it right now, but we're planning on getting to work on it after we get
the next version out the door.  Here's a little sneak preview of what
it's probably going to look like:

composite (msg: "root telnet access"; action: tag; within: 20; )
    component tcp $HOME_NET 23 -> $EXTERNAL any (content: "login\:";)
    component tcp $EXTERNAL any -> $HOME_NET 23 (content: "root";)

Look like what you might want?


Jacob Martinson wrote:
> is there a way to do composite/nonatomic pattern matching?  for instance, i
> want to alert if someone is ping or udp scanning one of my nets, or if one
> of our networks is getting hit with a udp dos . . . say i want to alert if
> there is more than 2000 udp packets per second with destination port above
> 1024 and destination address on the same subnet . . . is it possible for
> snort (or a snort plugin) to do this kind of thing or is snort strictly
> limited to atomic, packet by packet matching?  if this is not possible with
> snort, is there another open source tool that can do this (and run on *bsd)?
> tia . . . jacob
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

More information about the Snort-users mailing list