[Snort-users] Grouping connections

Joel Esler jesler at ...1935...
Mon Apr 27 11:24:38 EDT 2009


Okay.  Excuse my thoroughness, but I think things were pretty confused.
If you want to log sessions, you can do so using the tag keyword, as well as
the "flush" statements within Stream5.

Since sessions are made up of connections, if you want to log connections,
log the session.  (We're talking about the same thing here.)

If you want to log just packets, without the IDS nature of it, you can use
Snort as just a general sniffer.

Joel

2009/4/27 Ulisses Araújo Costa <ulissesaraujocosta at ...11827...>

>
>
> 2009/4/27 Joel Esler <jesler at ...1935...>
>
>> So, I think you need to define, to us, what you mean by "session"
>> "connection" and "packets".  Clearly, we are not understanding each other.
>>
>
> ?  This is getting ridiculous...
> Joel, one TCP session could have multiple connections right? Like when you
> are downloading a webpage, is just one session, but multiple connections...
> Each connection is made of several packets. That is, the packet is the
> atomic unit.
>
>
>> Joel
>>
>> 2009/4/27 Ulisses Araújo Costa <ulissesaraujocosta at ...11827...>
>>
>> One session have many connection. And one connection have many packets...
>>> I think the problem is that  don't explain what connection means to me...
>>>
>>>
>>> 2009/4/24 Ulisses Araújo Costa <ulissesaraujocosta at ...11827...>
>>>
>>>> I want identify connection not sessions. I want more detail:
>>>> connections...
>>>>
>>>> 2009/4/24 Joel Esler <jesler at ...1935...>
>>>>
>>>> A session is made up of connections.  Now I am throughly confused about
>>>>> what you are asking for.
>>>>> J
>>>>>
>>>>> 2009/4/24 Ulisses Araújo Costa <ulissesaraujocosta at ...11827...>
>>>>>
>>>>> Joel Esler, with 'tag:session' I just can identify the session. I want
>>>>>> be able to identify connections.
>>>>>>
>>>>>> 2009/4/23 Joel Esler <jesler at ...1935...>
>>>>>>
>>>>>> The fact that the alert took place tells you that flow X <> Y
>>>>>>> happened.
>>>>>>>
>>>>>>> J
>>>>>>>
>>>>>>> 2009/4/22 Ulisses Araújo Costa <ulissesaraujocosta at ...11827...>
>>>>>>>
>>>>>>>> Hi Leon,
>>>>>>>>
>>>>>>>> what I want is to record that the request X have the response Y.
>>>>>>>> What I explained, is that probably the request X is just a packet, but the
>>>>>>>> response Y is 4 packets. The only thing I want to know is that the flow X <>
>>>>>>>> Y happened.
>>>>>>>>
>>>>>>>> 2009/4/22 Leon Ward <seclists at ...14165...>
>>>>>>>>
>>>>>>>> Hi.
>>>>>>>>>
>>>>>>>>> Sorry I don't think I understand what you are asking. Can you share
>>>>>>>>> the goal you are trying to achieve rather than the method you are trying to
>>>>>>>>> resolve it by?
>>>>>>>>>
>>>>>>>>> >The idea is make Snort just consider that as 2 states (me making
>>>>>>>>> the request and google sending the response). The problem is I want to make
>>>>>>>>> that to connections, not sessions.
>>>>>>>>>
>>>>>>>>> If you need to differentiate between data in each flow direction,
>>>>>>>>> take a look at "flow".
>>>>>>>>>
>>>>>>>>> -Leon
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2009/4/22 Ulisses Araújo Costa <ulissesaraujocosta at ...11827...>
>>>>>>>>>
>>>>>>>>>> Joel,
>>>>>>>>>>
>>>>>>>>>> that's what I said:
>>>>>>>>>>
>>>>>>>>>> "
>>>>>>>>>> The problem is I want to make that to connections, not sessions.
>>>>>>>>>>
>>>>>>>>>> If it was sessions I can use the 'flag' keyword.
>>>>>>>>>> "
>>>>>>>>>>
>>>>>>>>>> But I *don't* want sessions.
>>>>>>>>>>
>>>>>>>>>> 2009/4/22 Joel Esler <jesler at ...1935...>
>>>>>>>>>>
>>>>>>>>>>> Take a look at the tag keyword.
>>>>>>>>>>>
>>>>>>>>>>> http://www.snort.org/docs/snort_htmanuals/htmanual_284/node373.html
>>>>>>>>>>>
>>>>>>>>>>> The flags keyword simply will trigger on the presence of certain
>>>>>>>>>>> TCP flags set in the packet.  This is probably not what you want.
>>>>>>>>>>>
>>>>>>>>>>> J
>>>>>>>>>>>
>>>>>>>>>>> 2009/4/22 Ulisses Araújo Costa <ulissesaraujocosta at ...14542....>
>>>>>>>>>>>
>>>>>>>>>>>>  Hello,
>>>>>>>>>>>>
>>>>>>>>>>>> I'm using Snort in a project. I'm wondering if with Snort I can
>>>>>>>>>>>> group packets from the same connection. For example: if I request
>>>>>>>>>>>> google.com, I just send one packet but the response came in
>>>>>>>>>>>> (imagine) 4 packets. The idea is make Snort just consider that as 2 states
>>>>>>>>>>>> (me making the request and google sending the response). The problem is I
>>>>>>>>>>>> want to make that to connections, not sessions.
>>>>>>>>>>>>
>>>>>>>>>>>> If it was sessions I can use the 'flag' keyword. Now I'm seeing
>>>>>>>>>>>> if the way is using preprocessors, in this case the HTTP preprocessor.
>>>>>>>>>>>>
>>>>>>>>>>>> Can you help me?
>>>>>>>>>>>>
>>>>>>>>>>>> Best Regards,
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>>>> Stay on top of everything new and different, both inside and
>>>>>>>>>>>> around Java (TM) technology - register by April 22, and save
>>>>>>>>>>>> $200 on the JavaOne (SM) conference, June 2-5, 2009, San
>>>>>>>>>>>> Francisco.
>>>>>>>>>>>> 300 plus technical and hands-on sessions. Register today.
>>>>>>>>>>>> Use priority code J9JMT32. http://p.sf.net/sfu/p
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Snort-users mailing list
>>>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>>>> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
>>>>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> joel esler | Sourcefire | gtalk: jesler at ...1935... |
>>>>>>>>>>> 302-223-5974 | http://twitter.com/joelesler
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>> Stay on top of everything new and different, both inside and
>>>>>>>>>> around Java (TM) technology - register by April 22, and save
>>>>>>>>>> $200 on the JavaOne (SM) conference, June 2-5, 2009, San
>>>>>>>>>> Francisco.
>>>>>>>>>> 300 plus technical and hands-on sessions. Register today.
>>>>>>>>>> Use priority code J9JMT32. http://p.sf.net/sfu/p
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Snort-users mailing list
>>>>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>>>>> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
>>>>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> joel esler | Sourcefire | gtalk: jesler at ...1935... |
>>>>>>> 302-223-5974 | http://twitter.com/joelesler
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
>>>>> | http://twitter.com/joelesler
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/>
>>>>
>>>
>>>
>>>
>>> --
>>> Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.pt/%7Eulisses/>
>>>
>>
>>
>>
>> --
>> joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974 |
>> http://twitter.com/joelesler
>>
>
>
>
> --
> Ulisses Costa - http://caos.di.uminho.pt/~ulisses/
>



-- 
joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974 |
http://twitter.com/joelesler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090427/a80069cf/attachment.html>


More information about the Snort-users mailing list