connection tracking

[Peter Moody <peter () ucsc edu>]

ok, first question answered.  on to question 2.

Now that I've got snort ignoring traffic that I don't care about and
logging everything else, I was wondering about the statefullness of the
matching.

if, in my hypothetical situation, I wanted to ignore all p2p traffic, I
know that I could have snort pass on some initial rules (say, a packet
with a "User-Agent: Kazaa"), and then log everything else.  However, I
also want to see about getting snort to not log all of the packets
associated with a user downloading the latest Jenna Jameson movie.  The
packets containing the movie, to the best of my knowledge, wouldn't
contain the User-Agent string, but they would be associated with the
initial connection which did contain that string.  I see that the
stream4 pre-processor has some sort of connection tracking, but will
snort somehow know to pass on those packets as well?

Thanks.

-Peter

-- 
Peter Moody                             <peter () ucsc edu>
Information Security Administrator      831/459.5409
Communications and Technology Services. http://mustard.ucsc.edu/pubkey
UC, Santa Cruz.
:wq

Attachment: signature.asc
Description: This is a digitally signed message part