RE: Can snort be smarter?

[Kevin Brown <Kevin.M.Brown () asu edu>]

 Why not set up the rules yourself to only trigger when they go after your
IIS servers or apache servers?  Define a few more variables in your
snort.conf file to cover IIS servers or apache or whatever app, then in the
rules use that definition to replace the default.

var IISSERVER [IPs]
var APACHESERVER [IPs]

etc...

-----Original Message-----
From: Jason Haar
To: snort-users () lists sourceforge net
Sent: 7/1/02 2:43 PM
Subject: [Snort-users] Can snort be smarter?

There's a thread over in Security-Focus-IDS ("Crying wolf:") where
people
are bemoaning the amount of false-positives that IDSes generate. 

One thing missing from Snort would be the ability for it to recognise
the
difference between (say) a CodeRed attempt against an IIS and an Apache
server.

With stateful packet reassembly, would it be possible to match on the
return
packets in the same rule? e.g.

content: "/script.exe?"; content: "Server: Microsoft-IIS"

That way you'd only get an alert on application-specific attacks when
they're against that particular application.

I realise that some would still want to know about ALL attacks - but
that
could be dealt with by  the above rule being an "alert", followed by the
same rule without the "Server: Microsoft-IIS" bit being a "log".

Apparently this is a feature NFR has.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users