[Snort-users] wish list...
vision at ...4...
Sat Sep 30 06:47:21 EDT 2000
They both require tcp stream assembly which, AFAIK, is not yet functional
in Snort. Once TCP streams are managed, we will want protocol decodes for
just about everything - the binary content matches should eventually go
away. Fast regex might be nice too since we're wishing :)
On Thu, 28 Sep 2000, Erik Fichtner wrote:
> Just to stimulate discussion, there's a couple of things I'd like to be
> able to accomplish...
> 1) full http decoding into header fields, so that we can search for
> things in specific http headers (or NOT in specific headers, as the
> case may be)
> a way to say "Match in the packet but only until you run into
> string 'foo', and then give up searching" ("depth" isn't really
> flexable enough as the initial command of an http request can be
> arbitrarily long, but we'd like to only search in that up to the
> example: elimination of false positives based on Referer: header.
> 2) "give me the previous (n) packet(s)" option.
> example: when we match on something like "530 Login incorrect"
> (ftp bad login), it would be very nice to be able to go back
> a couple of packets in the stream and save what USER was attempted,
> but it's impactical to alert on all USER attempts just to be able
> to correlate later.
> I don't know if either of these are feasable.
> Erik Fichtner
> Security Administrator, ServerVault, Inc.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
More information about the Snort-users