[Oisf-users] Suricata and flowint

Martin Holste mcholste at gmail.com
Mon Jan 9 14:43:43 UTC 2012

Trying to make sigs based on the dsizes of conversations seems like a
lot of work for characteristics that change frequently.  Do you have
reason to believe that the dsizes change less frequently between
malware variants than the actual content?  That would be very

If you want to create alerts based on connection characteristics, I
strongly recommend running Bro as well as Suricata, as it is much more
suited for doing what you're trying to accomplish.  There have been a
ton of examples and documentation added over at bro-ids.org, so I
encourage you to take a look as I think it will be what you've been
looking for.

On Mon, Jan 9, 2012 at 2:25 AM, Edward Fjellskål
<edwardfjellskaal at gmail.com> wrote:
> Hi,
> I wrote a blog post about one way to use flowint in suricata:
> http://www.gamelinux.org/?p=403
> Hope this can be inspiring and I hope other will share their use too.
> --
> Edward Bjarte Fjellskål
> Senior Security Analyst
> http://www.gamelinux.org/
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

More information about the Oisf-users mailing list