Snort mailing list archives
Re: General suspicious traffic detection
From: twig les <twigles () yahoo com>
Date: Wed, 4 Sep 2002 13:45:26 -0700 (PDT)
I've thought a little about it. All I've considered doing is having two snort processes running, each with their own snort.conf. I already have a custom.rules file, so I would just make another one for the second process. --- James Bly <jbly () espiria com> wrote:
Has anyone given any thought to ways to define through snort, a list of authorized protocols on a particular interface, so that any other protocols appearing on the wire would trigger alerts? Essentially defining and "authorized port" policy. Granted some protocols would require protocol interpretation to avoid false positives (like FTP, Streaming Video, etc) but my consideration is for wires where all ports can be defined. (i.e. such and such wire should only see nntp, ssh, and telnet) Thoughts are greatly appreciated, -James
===== ----------------------------------------------------------- Heavy metal made me do it. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- General suspicious traffic detection James Bly (Sep 04)
- Re: General suspicious traffic detection Erek Adams (Sep 04)
- Re: General suspicious traffic detection twig les (Sep 04)