[Snort-users] RE: [Off topic] Traffic analysis

Richard Bejtlich richard_bejtlich at ...131...
Fri Dec 5 18:21:01 EST 2003


Erwin,

I forgot to mention two other ways to collect
session data:

4.  Tcptrace
(http://irg.cs.ohiou.edu/software/tcptrace) may be
built with packet analysis in mind, but it also
provides session data.

5.  Snort's stream4 preprocessor can flush session
stats periodically if told via "keepstats".  The
following logs session data to the file ssn_logs:

preprocessor stream4: detect_scans,
disable_evasion_alerts, keepstats db
/nsm/snort/ssn_logs

The keepstats output isn't intended for direct human
consumption, but it can be parsed to provide more
readable output.  We use this method for session data
in the Sguil project (http://sguil.sf.net).

Argus, SANCP, tcptrace, and Snort keepstats can all be
run against pcap traces.  I'm not sure if the NetFlow
tools do this.

Sincerely,

Richard
http://taosecurity.com


__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/




More information about the Snort-users mailing list