Snort mailing list archives
connection tracking
From: Peter Moody <peter () ucsc edu>
Date: 26 Jun 2003 13:39:27 -0700
ok, first question answered. on to question 2. Now that I've got snort ignoring traffic that I don't care about and logging everything else, I was wondering about the statefullness of the matching. if, in my hypothetical situation, I wanted to ignore all p2p traffic, I know that I could have snort pass on some initial rules (say, a packet with a "User-Agent: Kazaa"), and then log everything else. However, I also want to see about getting snort to not log all of the packets associated with a user downloading the latest Jenna Jameson movie. The packets containing the movie, to the best of my knowledge, wouldn't contain the User-Agent string, but they would be associated with the initial connection which did contain that string. I see that the stream4 pre-processor has some sort of connection tracking, but will snort somehow know to pass on those packets as well? Thanks. -Peter -- Peter Moody <peter () ucsc edu> Information Security Administrator 831/459.5409 Communications and Technology Services. http://mustard.ucsc.edu/pubkey UC, Santa Cruz. :wq
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- connection tracking Peter Moody (Jun 26)