The Stream Analyzer plugins each perform analysis on
portions of each IP packet:
- IP headers (IPv4 and IPv6): These plugins call
analysis engine functions to search for patterns in
the IP header. They also perform two special functions:
- Hot IP: Events may be defined to set a Hot IP
address, which means that all traffic for the address
is reported for the time period defined in the Event
- Timestamp: IP addresses can be monitored for
connections established during specific time periods,
with the capability of ignoring allowed connections
- TCP and UDP headers: These plugins call analysis
engine functions to search for patterns in the TCP or
UDP header. The TCP plugin also tests for anomalies
in the TCP options field
- Data: This plugin calls the library string match
function to test for patterns in the packet payload
When a Trigger is found by a plugin, the analysis engine
creates a Trigger Element and puts it on the queue for the
Stream. The Trigger is cross referenced to Actions by the
Action Analyzer when it is notified by the Stream Handler
of stream completion.
|
