[Snort-users] connection tracking

Peter Moody peter at ...9047...
Thu Jun 26 14:07:20 EDT 2003


ok, first question answered.  on to question 2.

Now that I've got snort ignoring traffic that I don't care about and
logging everything else, I was wondering about the statefullness of the
matching.

if, in my hypothetical situation, I wanted to ignore all p2p traffic, I
know that I could have snort pass on some initial rules (say, a packet
with a "User-Agent: Kazaa"), and then log everything else.  However, I
also want to see about getting snort to not log all of the packets
associated with a user downloading the latest Jenna Jameson movie.  The
packets containing the movie, to the best of my knowledge, wouldn't
contain the User-Agent string, but they would be associated with the
initial connection which did contain that string.  I see that the
stream4 pre-processor has some sort of connection tracking, but will
snort somehow know to pass on those packets as well?

Thanks.

-Peter

-- 
Peter Moody                             <peter at ...9047...>
Information Security Administrator      831/459.5409
Communications and Technology Services. http://mustard.ucsc.edu/pubkey
UC, Santa Cruz.
:wq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030626/dc0f7b5f/attachment.sig>


More information about the Snort-users mailing list