[Snort-users] RE: [Off topic] Traffic analysis
richard_bejtlich at ...131...
Fri Dec 5 18:21:01 EST 2003
I forgot to mention two other ways to collect
(http://irg.cs.ohiou.edu/software/tcptrace) may be
built with packet analysis in mind, but it also
provides session data.
5. Snort's stream4 preprocessor can flush session
stats periodically if told via "keepstats". The
following logs session data to the file ssn_logs:
preprocessor stream4: detect_scans,
disable_evasion_alerts, keepstats db
The keepstats output isn't intended for direct human
consumption, but it can be parsed to provide more
readable output. We use this method for session data
in the Sguil project (http://sguil.sf.net).
Argus, SANCP, tcptrace, and Snort keepstats can all be
run against pcap traces. I'm not sure if the NetFlow
tools do this.
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
More information about the Snort-users