Snort mailing list archives

Re: General suspicious traffic detection

From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 4 Sep 2002 11:03:49 -0700 (PDT)

On Wed, 4 Sep 2002, James Bly wrote:

Has anyone given any thought to ways to define through snort, a list of
authorized protocols on a particular interface, so that any other protocols
appearing on the wire would trigger alerts? Essentially defining and
"authorized port" policy.

Granted some protocols would require protocol interpretation to avoid false
positives (like FTP, Streaming Video, etc) but my consideration is for wires
where all ports can be defined. (i.e. such and such wire should only see
nntp, ssh, and telnet)

Thoughts are greatly appreciated,


Ask and ye shall recieve.

From the CVS Changelog:


2002-08-13  Chris Green  <cmg () sourcefire com>

        * src/preprocessors/spp_conversation.c:
          new option alert_odd_protocols
          set allowed_ip_protocols to the numbers you like and it will alert
          on all bad protocols

:)

Added in to 1.9 CVS version.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

General suspicious traffic detection James Bly (Sep 04)
- Re: General suspicious traffic detection Erek Adams (Sep 04)
- Re: General suspicious traffic detection twig les (Sep 04)