OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Composite Patterns
From: Martin Roesch (roeschMD.PRESTIGE.NET)
Date: Mon Dec 04 2000 - 22:53:53 CST

You'd have to write it as a preprocessor under the current design of Snort,
but it wouldn't be too difficult to do. Basically you'd just have to do a
plugin similar in concept to the existing portscan detector, but with a lot
less intelligence. It's definitely not a trivial thing if you don't know C,
but if you do you could probably write it in a few hours if you haven't been
exposed to Snort's code before.

     -Marty

Jacob Martinson wrote:
>
> Could you write a rule that would detect n inbound udp packets per second?
>
> -----Original Message-----
> From: Martin Roesch [mailto:roeschmd.prestige.net]
> Sent: Tuesday, November 28, 2000 10:24 AM
> To: Jacob Martinson
> Cc: FOCUS-IDSSECURITYFOCUS.COM
> Subject: Re: Composite Patterns
>
> Actually, Snort *does* do composite patterns within a single rule. Is this
> what you're looking for, or are you talking about multi-rule composites?
> Multi-rule composites is something that's in the works...
>
> -Marty
>
> Jacob Martinson wrote:
> >
> > I am trying to find a decent NIDS that can detect fraggle, tfn, trinoo
> etc.
> > Snort doesn't do composite patterns at this point and NetRanger requires
> > that you run OpenView on the management console (as far as I can tell).
> > Does anyone have any recommendations?
> >
> > My ultimate goal is something that will alert me as quickly as possible
> when
> > we are experiencing a dos attack.
> >
> > Thanks for any input!
> >
> > Jacob Martinson
> >
> > ---
> > BSD Unix - the first operating system with an IP stack.
>
> --
> Martin Roesch
> roeschmd.prestige.net
> http://www.snort.org 

--
Martin Roesch
roeschmd.prestige.net
http://www.snort.org