[Snort-users] wish list...

Max Vision vision at ...4...
Sat Sep 30 06:47:21 EDT 2000


They both require tcp stream assembly which, AFAIK, is not yet functional
in Snort.  Once TCP streams are managed, we will want protocol decodes for
just about everything - the binary content matches should eventually go
away.  Fast regex might be nice too since we're wishing :)

Max

On Thu, 28 Sep 2000, Erik Fichtner wrote:
> 
> Just to stimulate discussion, there's a couple of things I'd like to be
> able to accomplish...  
> 
> 
> 1)	full http decoding into header fields, so that we can search for
> 	things in specific http headers (or NOT in specific headers, as the
> 	case may be)  
> 
> 	or,
> 
> 	a way to say "Match in the packet but only until you run into 
> 	string 'foo', and then give up searching"    ("depth" isn't really
> 	flexable enough as the initial command of an http request can be 
> 	arbitrarily long, but we'd like to only search in that up to the
> 	newline.)
> 
> 	example:  elimination of false positives based on Referer: header.
> 
> 
> 2)	"give me the previous (n) packet(s)" option.  
> 
> 	example:   when we match on something like "530 Login incorrect"
> 	(ftp bad login), it would be very nice to be able to go back
> 	a couple of packets in the stream and save what USER was attempted,
> 	but it's impactical to alert on all USER attempts just to be able
> 	to correlate later.
> 
> 
> I don't know if either of these are feasable.
> 
> 
> -- 
> Erik Fichtner
> Security Administrator, ServerVault, Inc.
> 703-333-5900
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 




More information about the Snort-users mailing list