[Snort-users] RE: [Off topic] Traffic analysis

Richard Bejtlich richard_bejtlich at ...131...
Fri Dec 5 18:21:01 EST 2003


I forgot to mention two other ways to collect
session data:

4.  Tcptrace
(http://irg.cs.ohiou.edu/software/tcptrace) may be
built with packet analysis in mind, but it also
provides session data.

5.  Snort's stream4 preprocessor can flush session
stats periodically if told via "keepstats".  The
following logs session data to the file ssn_logs:

preprocessor stream4: detect_scans,
disable_evasion_alerts, keepstats db

The keepstats output isn't intended for direct human
consumption, but it can be parsed to provide more
readable output.  We use this method for session data
in the Sguil project (http://sguil.sf.net).

Argus, SANCP, tcptrace, and Snort keepstats can all be
run against pcap traces.  I'm not sure if the NetFlow
tools do this.



Do you Yahoo!?
Free Pop-Up Blocker - Get it now

More information about the Snort-users mailing list