Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Using snort as connection tracker

from [sekure] Network Security [Permanent Link]
Subject: Re: [Snort-users] Using snort as connection tracker
Date: Mon, 20 Dec 2004 10:08:40 -0500 
If this was TCP traffic, then it'd be easy....  With UDP it's a little
difficult.  See if you can find something in the payload to identify a
session start for the application itself.  Otherwise, you can play
around with thresholding, track by source and log one every 15
minutes, or every half hour, or whatever.  The problem here is that
you might miss some new connections that occur within that time
window.

Your best bet is to look in the application level for some identifying
information.  Ethereal is your friend.



On Sun, 19 Dec 2004 16:15:25 +0100, Klemen Mihevc <mafia-x@volja.net> wrote:



Hello,

 

I'm kinda new in »advanced« snort configuration. Until now i only used it
with »default« cfg & rules. Now i have a problem, I'm runing on linux server
2 gameservers on udp port 27960 & 28960 i made 2 custom rules to track that
connections:

 

alert udp $EXTERNAL_NET any -> $HOME_NET 27960 (msg:"Enemy Territory
player";)

 

alert udp $EXTERNAL_NET any -> $HOME_NET 28960 (msg:"Call of Duty player";)

 

 

now i have a problem couse every packet is logged (and logs are huge) even
if it's only about 1k big and it is product of outside scan of server not
actual connection to it. Is there anyway to log only first and last package
from 1 ip and only if data transfer is bigger then let's say 5k? Or maybe
anyother way to log that connections? I also tryed with chaosreader &
tcpdump but this method is too much cpu & ram consuming and i also tried
with iptable but again with same problem (every package is logged). I relay
wanna use snort because i can use mysql & acid for statistic...

 

 

Thx

 

 

PS: sorry for my bad english ;)



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] Snortcenter2, Brian Jameson
Next by Date:  [Snort-users] Netbios.rules, Parent,Patrice [CMC]
Previous by Thread:  [Snort-users] Using snort as connection tracker, Klemen Mihevc
Next by Thread:  Re: [Snort-users] Using snort as connection tracker, Jose Maria Lopez
Indexes:  [Date] [Thread] [Top] [All Lists]