[Snort-users] matching composite patterns

Jacob Martinson jmartinson at ...727...
Mon Oct 30 14:15:34 EST 2000


is there a way to do composite/nonatomic pattern matching?  for instance, i
want to alert if someone is ping or udp scanning one of my nets, or if one
of our networks is getting hit with a udp dos . . . say i want to alert if
there is more than 2000 udp packets per second with destination port above
1024 and destination address on the same subnet . . . is it possible for
snort (or a snort plugin) to do this kind of thing or is snort strictly
limited to atomic, packet by packet matching?  if this is not possible with
snort, is there another open source tool that can do this (and run on *bsd)?

tia . . . jacob





More information about the Snort-users mailing list