[Snort-users] Grouping connections

Joel Esler jesler at ...1935...
Wed Apr 22 10:59:59 EDT 2009


Take a look at the tag keyword.
http://www.snort.org/docs/snort_htmanuals/htmanual_284/node373.html

The flags keyword simply will trigger on the presence of certain TCP flags
set in the packet.  This is probably not what you want.

J

2009/4/22 Ulisses Araújo Costa <ulissesaraujocosta at ...11827...>

> Hello,
>
> I'm using Snort in a project. I'm wondering if with Snort I can group
> packets from the same connection. For example: if I request google.com, I
> just send one packet but the response came in (imagine) 4 packets. The idea
> is make Snort just consider that as 2 states (me making the request and
> google sending the response). The problem is I want to make that to
> connections, not sessions.
>
> If it was sessions I can use the 'flag' keyword. Now I'm seeing if the way
> is using preprocessors, in this case the HTTP preprocessor.
>
> Can you help me?
>
> Best Regards,
>
> --
> Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/>
>
>
> ------------------------------------------------------------------------------
> Stay on top of everything new and different, both inside and
> around Java (TM) technology - register by April 22, and save
> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> 300 plus technical and hands-on sessions. Register today.
> Use priority code J9JMT32. http://p.sf.net/sfu/p
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974 |
http://twitter.com/joelesler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090422/65029055/attachment.html>


More information about the Snort-users mailing list