Menu
▾
▴
Re: [Snort-inline-users] Detecting that an IP flow has passed all rules
|
From: Roland T. (SourceForge) <raz...@co...> - 2005-05-24 09:55:23
|
Bert van Leeuwen said: > I'm trying to find out whether it is possible (with snort-inline) to > detect that a particular IP flow (i.e. src/dst IP, UDP/TCP src/dst > port tuple) has "passed" all the available rules, in other words that > none of the rules match or will match a particular flow. The reason I'm not sure that I understand how this is possible. The fact that the first n packets of a flow don't match any signatures does not mean that no subsequent packets will. Do you have a specific situation in mind? (Custom signatures perhaps?) - Raz |
