[Snort-users] Fwd: [snort-user] About packet content

Joel Esler jesler at ...1935...
Fri Sep 6 14:45:44 EDT 2013


Snort does to anomaly detection in form of preprocessors, but I think we’re being asked to predict the future, and I don’t think we’ve invented that yet.


On Sep 6, 2013, at 1:06 PM, Jefferson, Shawn <Shawn.Jefferson at ...14448...> wrote:

> Maybe some sort of "racial profiling" for packets? ;) 
> 
> I think that maybe the Mayur might mean, what are the structures that we're looking at?  If so, that's the packet structure itself, and then the structure of any application data riding on top of those.  You need to do some research if you are expecting to write rules to detect anomalies and attacks in those structures.
> 
> If that's not what you meant, then maybe you are looking more for anomaly detection or similar, which I don't think Snort really does particularly.
> 
> 
> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...1935...] 
> Sent: Friday, September 06, 2013 6:00 AM
> To: Mayur Patil
> Cc: snort-users at lists.sourceforge.net; Bill Parker
> Subject: Re: [Snort-users] Fwd: [snort-user] About packet content
> 
> So, you are asking if we can know the content of the traffic, before the traffic arrives?
> 
> On Fri, Sep 6, 2013 at 1:52 AM, Mayur Patil <ram.nath241089 at ...11827...> wrote:
>> hello,
>> 
>>      I have one question might be foolish......
>> 
>>      In snort rule we define content for packets
>> 
>>      like content:|00 36 90 23 08|
>> 
>>      is there anyway to know what content does incoming data is 
>> having
>> 
>>      before attack is performed ? Any prototype which defines 
>> specific structure ?
>> 
>>      Seeking for guidance,
>> 
>>      Thanks !
>> --
>> Cheers,
>> Mayur.
>> 
>> 
>> ----------------------------------------------------------------------
>> -------- Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 
>> 2012, more!
>> Discover the easy way to master current and previous Microsoft 
>> technologies and advance your career. Get an incredible 1,500+ hours 
>> of step-by-step tutorial videos with LearnDevNow. Subscribe today and save!
>> http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.c
>> lktrk _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest 
>> Snort news!
> 
> 
> 
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
> 
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list