Snort mailing list archives
RE: Can snort be smarter?
From: Kevin Brown <Kevin.M.Brown () asu edu>
Date: Mon, 01 Jul 2002 15:01:14 -0700
Why not set up the rules yourself to only trigger when they go after your IIS servers or apache servers? Define a few more variables in your snort.conf file to cover IIS servers or apache or whatever app, then in the rules use that definition to replace the default. var IISSERVER [IPs] var APACHESERVER [IPs] etc... -----Original Message----- From: Jason Haar To: snort-users () lists sourceforge net Sent: 7/1/02 2:43 PM Subject: [Snort-users] Can snort be smarter? There's a thread over in Security-Focus-IDS ("Crying wolf:") where people are bemoaning the amount of false-positives that IDSes generate. One thing missing from Snort would be the ability for it to recognise the difference between (say) a CodeRed attempt against an IIS and an Apache server. With stateful packet reassembly, would it be possible to match on the return packets in the same rule? e.g. content: "/script.exe?"; content: "Server: Microsoft-IIS" That way you'd only get an alert on application-specific attacks when they're against that particular application. I realise that some would still want to know about ALL attacks - but that could be dealt with by the above rule being an "alert", followed by the same rule without the "Server: Microsoft-IIS" bit being a "log". Apparently this is a feature NFR has. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can snort be smarter? Jason Haar (Jul 01)
- <Possible follow-ups>
- RE: Can snort be smarter? Kevin Brown (Jul 01)
- Re: Can snort be smarter? Jason Haar (Jul 01)