[Snort-users] Preprocessor to collect application layer protocol stats?

Bill Gercken bgercken at ...1569...
Tue Mar 13 21:28:01 EST 2001


I am wondering if any one has developed a preprocessor for snort, which will
collect statistics on application layer protocols such as http, ftp, telnet
etc as in a protocol analyzer. I am looking for two things here:

1. To be able to create a summary for a specified list of protocols. As in:

http: 1000
ftp: 100
telnet: 200

2. Possibly order the protocols by top talker(s) with a given threshold. As
in threshold > 100:

http summary 110 140 1000

The purpose of the preprocessor would be for post analysis of raw packets
collected in binary format. We collect packet headers for all traffic
passing through our network and it would be nice to be able to use snort to
provide quick analysis of chunks of the stored data. It would also be useful
for something like: snort -v -r tcp.20010312 -c analyze.conf "host"
which would grab data for the specified host from the raw files.

If there is nothing out there, I will give it a shot. Thanks for your time.

William C. Gercken                          Email:
bgercken at ...1569...
Provident Analysis Corporation

More information about the Snort-users mailing list