Snort mailing list archives
Re: Help with a rule
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 10 Dec 2013 21:22:13 +0000
I think what you may be searching for is: http://manual.snort.org/node33.html#SECTION004622000000000000000 stream_size. -- Joel Esler AEGIS Intelligence Lead OpenSource Manager Vulnerability Research Team Jabber: jesler () cisco com<mailto:jesler () cisco com> On Dec 10, 2013, at 1:53 PM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote: Hi Tyler, I don't think you would be able to achieve this through rules. Dependent on the MTU at your network, packet payload will be constrained. For example, if the MTU is 1500 and you are looking at a TCP session , then your maximum payload will be 1460 excluding IP and TCP headers, given that no IP and TCP options are available in the packet. This is different for UDP and ICMP. Not to mention the OS's in use and fragmentation. That said, Stream5 preprocessor may help. Specifically, the "max_queued_bytes" and "max_queued_segs". Also, look at the Stream5 readme in the Snort tarball (Stream API). I would assume that your Frag3 is also configured for the target OS's in use. Thanks YM
Date: Tue, 10 Dec 2013 12:20:55 -0500 From: tah338 () sr unh edu<mailto:tah338 () sr unh edu> To: snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net> Subject: [Snort-sigs] Help with a rule Hi, I'm fairly new to Snort, and was wondering if I could get assistance with writing a rule. Our Snort system is watching over a private network of several secure servers. One of the things we'd like to look for is large chunks of data being transferred off any of these servers. I'm trying to come up with a rule that alerts us any time there is some movement of data over, say, 10MB, but I'm not sure how to go about doing this. Any suggestions? Thanks! -- Tyler MacPherson Student Operator UNH Research Computing Center (603) 862-4518 ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org<http://www.snort.org/> Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Help with a rule Tyler MacPherson (Dec 10)
- Re: Help with a rule lists () packetmail net (Dec 10)
- Re: Help with a rule Kyle Creyts (Dec 10)
- Re: Help with a rule Y M (Dec 10)
- Re: Help with a rule Joel Esler (jesler) (Dec 10)
- Re: Help with a rule lists () packetmail net (Dec 10)