[Snort-users] Preprocessor to collect application layer protocol stats?

Bill Gercken bgercken at ...1569...
Tue Mar 13 21:28:01 EST 2001


Hello,

I am wondering if any one has developed a preprocessor for snort, which will
collect statistics on application layer protocols such as http, ftp, telnet
etc as in a protocol analyzer. I am looking for two things here:

1. To be able to create a summary for a specified list of protocols. As in:

http: 1000
ftp: 100
telnet: 200
Etc.

2. Possibly order the protocols by top talker(s) with a given threshold. As
in threshold > 100:

http summary
10.1.1.1 110
10.1.1.2 140
10.1.1.3 1000
Etc.

The purpose of the preprocessor would be for post analysis of raw packets
collected in binary format. We collect packet headers for all traffic
passing through our network and it would be nice to be able to use snort to
provide quick analysis of chunks of the stored data. It would also be useful
for something like: snort -v -r tcp.20010312 -c analyze.conf "host 10.1.1.1"
which would grab data for the specified host from the raw files.

If there is nothing out there, I will give it a shot. Thanks for your time.

Regards,
-bill
--
William C. Gercken                          Email:
bgercken at ...1569...
Provident Analysis Corporation






More information about the Snort-users mailing list