Re: [Snort-users] Grouping connections
This is a discussion on Re: [Snort-users] Grouping connections within the Snort forums, part of the System Security and Security Related category; --===============0427335756598770031== Content-Type: multipart/alternative; boundary=0015174beb3aedb31c046889e117 --0015174beb3aedb31c046889e117 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-27-2009
|
|||
|
|||
Re: [Snort-users] Grouping connections
--===============0427335756598770031==
Content-Type: multipart/alternative; boundary=0015174beb3aedb31c046889e117 --0015174beb3aedb31c046889e117 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable One session have many connection. And one connection have many packets... I think the problem is that don't explain what connection means to me... 2009/4/24 Ulisses Ara=FAjo Costa <ulissesaraujocosta@gmail.com> > I want identify connection not sessions. I want more detail: connections.= ... > > 2009/4/24 Joel Esler <jesler@sourcefire.com> > > A session is made up of connections. Now I am throughly confused about >> what you are asking for. >> J >> >> 2009/4/24 Ulisses Ara=FAjo Costa <ulissesaraujocosta@gmail.com> >> >> Joel Esler, with 'tag:session' I just can identify the session. I want b= e >>> able to identify connections. >>> >>> 2009/4/23 Joel Esler <jesler@sourcefire.com> >>> >>> The fact that the alert took place tells you that flow X <> Y happened. >>>> >>>> J >>>> >>>> 2009/4/22 Ulisses Ara=FAjo Costa <ulissesaraujocosta@gmail.com> >>>> >>>>> Hi Leon, >>>>> >>>>> what I want is to record that the request X have the response Y. What= I >>>>> explained, is that probably the request X is just a packet, but the r= esponse >>>>> Y is 4 packets. The only thing I want to know is that the flow X <> Y >>>>> happened. >>>>> >>>>> 2009/4/22 Leon Ward <seclists@rm-rf.co.uk> >>>>> >>>>> Hi. >>>>>> >>>>>> Sorry I don't think I understand what you are asking. Can you share >>>>>> the goal you are trying to achieve rather than the method you are tr= ying to >>>>>> resolve it by? >>>>>> >>>>>> >The idea is make Snort just consider that as 2 states (me making th= e >>>>>> request and google sending the response). The problem is I want to m= ake that >>>>>> to connections, not sessions. >>>>>> >>>>>> If you need to differentiate between data in each flow direction, ta= ke >>>>>> a look at "flow". >>>>>> >>>>>> -Leon >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> 2009/4/22 Ulisses Ara=FAjo Costa <ulissesaraujocosta@gmail.com> >>>>>> >>>>>>> Joel, >>>>>>> >>>>>>> that's what I said: >>>>>>> >>>>>>> " >>>>>>> The problem is I want to make that to connections, not sessions. >>>>>>> >>>>>>> If it was sessions I can use the 'flag' keyword. >>>>>>> " >>>>>>> >>>>>>> But I *don't* want sessions. >>>>>>> >>>>>>> 2009/4/22 Joel Esler <jesler@sourcefire.com> >>>>>>> >>>>>>>> Take a look at the tag keyword. >>>>>>>> http://www.snort.org/docs/snort_htma...4/node373.htm= l >>>>>>>> >>>>>>>> The flags keyword simply will trigger on the presence of certain T= CP >>>>>>>> flags set in the packet. This is probably not what you want. >>>>>>>> >>>>>>>> J >>>>>>>> >>>>>>>> 2009/4/22 Ulisses Ara=FAjo Costa <ulissesaraujocosta@gmail.com> >>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I'm using Snort in a project. I'm wondering if with Snort I can >>>>>>>>> group packets from the same connection. For example: if I request >>>>>>>>> google.com, I just send one packet but the response came in >>>>>>>>> (imagine) 4 packets. The idea is make Snort just consider that as= 2 states >>>>>>>>> (me making the request and google sending the response). The prob= lem is I >>>>>>>>> want to make that to connections, not sessions. >>>>>>>>> >>>>>>>>> If it was sessions I can use the 'flag' keyword. Now I'm seeing i= f >>>>>>>>> the way is using preprocessors, in this case the HTTP preprocesso= r. >>>>>>>>> >>>>>>>>> Can you help me? >>>>>>>>> >>>>>>>>> Best Regards, >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di= ..uminho.pt/%7Eulisses/> >>>>>>>>> >>>>>>>>> >>>>>>>>> -----------------------------------------------------------------= ------------- >>>>>>>>> Stay on top of everything new and different, both inside and >>>>>>>>> around Java (TM) technology - register by April 22, and save >>>>>>>>> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisc= o. >>>>>>>>> 300 plus technical and hands-on sessions. Register today. >>>>>>>>> Use priority code J9JMT32. http://p.sf.net/sfu/p >>>>>>>>> _______________________________________________ >>>>>>>>> Snort-users mailing list >>>>>>>>> Snort-users@lists.sourceforge.net >>>>>>>>> Go to this URL to change user options or unsubscribe: >>>>>>>>> https://lists.sourceforge.net/lists/...fo/snort-users >>>>>>>>> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-us= ers%0ASnort-users>list archive: >>>>>>>>> http://www.geocrawler.com/redir-sf.p...=3Dsnort-users >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> joel esler | Sourcefire | gtalk: jesler@sourcefire.com | >>>>>>>> 302-223-5974 | http://twitter.com/joelesler >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.u= minho.pt/%7Eulisses/> >>>>>>> >>>>>>> >>>>>>> -------------------------------------------------------------------= ----------- >>>>>>> Stay on top of everything new and different, both inside and >>>>>>> around Java (TM) technology - register by April 22, and save >>>>>>> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. >>>>>>> 300 plus technical and hands-on sessions. Register today. >>>>>>> Use priority code J9JMT32. http://p.sf.net/sfu/p >>>>>>> _______________________________________________ >>>>>>> Snort-users mailing list >>>>>>> Snort-users@lists.sourceforge.net >>>>>>> Go to this URL to change user options or unsubscribe: >>>>>>> https://lists.sourceforge.net/lists/...fo/snort-users >>>>>>> Snort-users<https://lists.sourceforge.net/lists/...fo/snort-user= s%0ASnort-users>list archive: >>>>>>> http://www.geocrawler.com/redir-sf.p...=3Dsnort-users >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.umi= nho.pt/%7Eulisses/> >>>>> >>>> >>>> >>>> >>>> -- >>>> joel esler | Sourcefire | gtalk: jesler@sourcefire.com | 302-223-5974 = | >>>> http://twitter.com/joelesler >>>> >>> >>> >>> >>> -- >>> Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminh= o.pt/%7Eulisses/> >>> >> >> >> >> -- >> joel esler | Sourcefire | gtalk: jesler@sourcefire.com | 302-223-5974 | >> http://twitter.com/joelesler >> > > > > -- > Ulisses Costa - http://caos.di.uminho.pt/~ulisses/<http://caos.di.uminho.= pt/%7Eulisses/> > --=20 Ulisses Costa - http://caos.di.uminho.pt/~ulisses/ --0015174beb3aedb31c046889e117 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable One session have many connection. And one connection have many packets... I= think the problem is that=A0 don't explain what connection means to me= ....<br><br><div class=3D"gmail_quote">2009/4/24 Ulisses Ara=FAjo Costa <spa= n dir=3D"ltr"><<a href=3D"mailto:ulissesaraujocosta@gmail.com">uliss esar= aujocosta@gmail.com</a>></span><br> <blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, = 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I want identify c= onnection not sessions. I want more detail: connections...<br><br><div clas= s=3D"gmail_quote"> 2009/4/24 Joel Esler <span dir=3D"ltr"><<a href=3D"mailto:jesler@sourcef= ire.com" target=3D"_blank">jesler@sourcefire.com</a>></span><div><div></= div><div class=3D"h5"><br> <blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, = 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">A session is made= up of connections. =A0Now I am throughly confused about what you are askin= g for.<div> <br></div><div>J<br><br><div class=3D"gmail_quote">2009/4/24 Ulisses Ara=FA= jo Costa <span dir=3D"ltr"><<a href=3D"mailto:ulissesaraujocosta@gmail.c= om" target=3D"_blank">ulissesaraujocosta@gmail.com</a>></span><div><div>= </div> <div><br> <blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, = 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Joel Esler, with = 'tag:session' I just can identify the session. I want be able to id= entify connections.<br> <br> <div class=3D"gmail_quote">2009/4/23 Joel Esler <span dir=3D"ltr"><<a hr= ef=3D"mailto:jesler@sourcefire.com" target=3D"_blank">jesler@sourcefire.com= </a>></span><div><div></div><div><br> <blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, = 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">The fact that the= alert took place tells you that flow X <> Y happened. =A0<div><div><= /div> <div><div><br></div><div>J<br><br><div class=3D"gmail_quote">2009/4/22 Ulis= ses Ara=FAjo Costa <span dir=3D"ltr"><<a href=3D"mailto:ulissesaraujocos= ta@gmail.com" target=3D"_blank">ulissesaraujocosta@gmail.com</a>></span>= <br> <blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, = 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi Leon,<br><br>w= hat I want is to record that the request X have the response Y. What I expl= ained, is that probably the request X is just a packet, but the response Y = is 4 packets. The only thing I want to know is that the flow X <> Y h= appened.<br> <br><div class=3D"gmail_quote">2009/4/22 Leon Ward <span dir=3D"ltr"><<a= href=3D"mailto:seclists@rm-rf.co.uk" target=3D"_blank">seclists@rm-rf.co.u= k</a>></span><div><div></div><div><br><blockquote class=3D"gmail_quote" = style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8= ex; padding-left: 1ex;"> Hi.<br><br>Sorry I don't think I understand what you are asking. Can yo= u share the goal you are trying to achieve rather than the method you are t= rying to resolve it by?<div><br><br>>The idea is make Snort just conside= r that as 2 states (me making the request and google sending the response). The problem is I want to make that to connections, not sessions.<br><br></div>If you need to differentiat= e between data in each flow direction, take a look at "flow".<br>= <font color=3D"#888888"><br>-Leon</font><div><div></div><div> <br><br><br><br><div class=3D"gmail_quote">2009/4/22 Ulisses Ara=FAjo Costa= <span dir=3D"ltr"><<a href=3D"mailto:ulissesaraujocosta@gmail.com" targ= et=3D"_blank">ulissesaraujocosta@gmail.com</a>></span><br> <blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, = 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Joel,<div><br><br= >that's what I said:<br><br>"<br>The problem is I want to make tha= t to connections, not sessions.<br> <br>If it was sessions I can use the 'flag' keyword.<br>"<br><= br></div>But I *don't* want sessions.<br><br><div class=3D"gmail_quote"= >2009/4/22 Joel Esler <span dir=3D"ltr"><<a href=3D"mailto:jesler@source= fire.com" target=3D"_blank">jesler@sourcefire.com</a>></span><div> <br> <blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, = 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Take a look at th= e tag keyword.<br><a href=3D"http://www.snort.org/docs/snort_htmanuals/htma= nual_284/node373.html" target=3D"_blank">http://www.snort.org/docs/snort_ht= manuals/htmanual_284/node373.html</a><br> <br>The flags keyword simply will trigger on the presence of certain TCP fl= ags set in the packet.=A0 This is probably not what you want.<br> <br>J<br><br><div class=3D"gmail_quote">2009/4/22 Ulisses Ara=FAjo Costa <s= pan dir=3D"ltr"><<a href=3D"mailto:ulissesaraujocosta@gmail.com" target= =3D"_blank">ulissesaraujocosta@gmail.com</a>></span><br><blockquote clas= s=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margi= n: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div><div></div><div> Hello,<br><br>I'm using Snort in a project. I'm wondering if with S= nort I can group packets from the same connection. For example: if I reques= t <a href=3D"http://google.com" target=3D"_blank">google.com</a>, I just se= nd one packet but the response came in (imagine) 4 packets. The idea is mak= e Snort just consider that as 2 states (me making the request and google se= nding the response). The problem is I want to make that to connections, not= sessions.<br> <br>If it was sessions I can use the 'flag' keyword. Now I'm se= eing if the way is using preprocessors, in this case the HTTP preprocessor.= <br><br>Can you help me?<br><br>Best Regards,<br clear=3D"all"><font color= =3D"#888888"><br> -- <br> Ulisses Costa - <a href=3D"http://caos.di.uminho.pt/%7Eulisses/" target=3D"= _blank">http://caos.di.uminho.pt/~ulisses/</a><br> </font><br></div></div>----------------------------------------------------= --------------------------<br> Stay on top of everything new and different, both inside and<br> around Java (TM) technology - register by April 22, and save<br> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.<br> 300 plus technical and hands-on sessions. Register today.<br> Use priority code J9JMT32. <a href=3D"http://p.sf.net/sfu/p" target=3D"_bla= nk">http://p.sf.net/sfu/p</a><br>__________________________________________= _____<br> Snort-users mailing list<br> <a href=3D"mailto:Snort-users@lists.sourceforge.net" target=3D"_blank">Snor= t-users@lists.sourceforge.net</a><br> Go to this URL to change user options or unsubscribe:<br> <a href=3D"https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort= -users" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/snor= t-users<br> Snort-users</a> list archive:<br> <a href=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users" targ= et=3D"_blank">http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users</a= ><br></blockquote></div><font color=3D"#888888"><br><br clear=3D"all"><br>-= - <br>joel esler | Sourcefire | gtalk: <a href=3D"mailto:jesler@sourcefire.= com" target=3D"_blank">jesler@sourcefire.com</a> | 302-223-5974 | <a href= =3D"http://twitter.com/joelesler" target=3D"_blank">http://twitter.com/joel= esler</a><br> </font></blockquote></div></div><div><div></div><div><br><br clear=3D"all">= <br>-- <br>Ulisses Costa - <a href=3D"http://caos.di.uminho.pt/%7Eulisses/"= target=3D"_blank">http://caos.di.uminho.pt/~ulisses/</a><br> </div></div><br>-----------------------------------------------------------= -------------------<br> Stay on top of everything new and different, both inside and<br> around Java (TM) technology - register by April 22, and save<br> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.<br> 300 plus technical and hands-on sessions. Register today.<br> Use priority code J9JMT32. <a href=3D"http://p.sf.net/sfu/p" target=3D"_bla= nk">http://p.sf.net/sfu/p</a><br>__________________________________________= _____<br> Snort-users mailing list<br> <a href=3D"mailto:Snort-users@lists.sourceforge.net" target=3D"_blank">Snor= t-users@lists.sourceforge.net</a><br> Go to this URL to change user options or unsubscribe:<br> <a href=3D"https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort= -users" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/snor= t-users<br> Snort-users</a> list archive:<br> <a href=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users" targ= et=3D"_blank">http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users</a= ><br></blockquote></div><br> </div></div></blockquote></div></div></div><div><div></div><div><br><br cle= ar=3D"all"><br>-- <br>Ulisses Costa - <a href=3D"http://caos.di.uminho.pt/%= 7Eulisses/" target=3D"_blank">http://caos.di.uminho.pt/~ulisses/</a><br> </div></div></blockquote></div><br><br clear=3D"all"><br>-- <br>joel esler = | Sourcefire | gtalk: <a href=3D"mailto:jesler@sourcefire.com" target=3D"_b= lank">jesler@sourcefire.com</a> | 302-223-5974 | <a href=3D"http://twitter.= com/joelesler" target=3D"_blank">http://twitter.com/joelesler</a><br> </div> </div></div></blockquote></div></div></div><div><div></div><div><br><br cle= ar=3D"all"><br>-- <br>Ulisses Costa - <a href=3D"http://caos.di.uminho.pt/%= 7Eulisses/" target=3D"_blank">http://caos.di.uminho.pt/~ulisses/</a><br> </div></div></blockquote></div></div></div><div><div></div><div><br><br cle= ar=3D"all"><br>-- <br>joel esler | Sourcefire | gtalk: <a href=3D"mailto:je= sler@sourcefire.com" target=3D"_blank">jesler@sourcefire.com</a> | 302-223-= 5974 | <a href=3D"http://twitter.com/joelesler" target=3D"_blank">http://tw= itter.com/joelesler</a><br> </div></div></div> </blockquote></div></div></div><div><div></div><div class=3D"h5"><br><br cl= ear=3D"all"><br>-- <br>Ulisses Costa - <a href=3D"http://caos.di.uminho.pt/= %7Eulisses/" target=3D"_blank">http://caos.di.uminho.pt/~ulisses/</a><br> </div></div></blockquote></div><br><br clear=3D"all"><br>-- <br>Ulisses Cos= ta - <a href=3D"http://caos.di.uminho.pt/~ulisses/">http://caos.di.uminho.p= t/~ulisses/</a><br> --0015174beb3aedb31c046889e117-- --===============0427335756598770031== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects --===============0427335756598770031== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users --===============0427335756598770031==-- 
|
Linear Mode
