Re: General suspicious traffic detection

[twig les <twigles () yahoo com>]

I've thought a little about it.  All I've considered
doing is having two snort processes running, each with
their own snort.conf.  I already have a custom.rules
file, so I would just make another one for the second
process.



--- James Bly <jbly () espiria com> wrote:
> Has anyone given any thought to ways to define
> through snort, a list of
> authorized protocols on a particular interface, so
> that any other protocols
> appearing on the wire would trigger alerts?
> Essentially defining and
> "authorized port" policy.
>  
> Granted some protocols would require protocol
> interpretation to avoid false
> positives (like FTP, Streaming Video, etc) but my
> consideration is for wires
> where all ports can be defined. (i.e. such and such
> wire should only see
> nntp, ssh, and telnet)
>  
> Thoughts are greatly appreciated,
> -James


=====
-----------------------------------------------------------
Heavy metal made me do it.                        
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users