Snort mailing list archives

Re: Snort's modules

From: Russ Combs <rcombs () sourcefire com>
Date: Fri, 27 Jul 2012 10:30:05 -0400

On Fri, Jul 27, 2012 at 3:17 AM, Pratik Narang <pratik.cse.bits () gmail com>wrote:

The preproc_rules directory contains decoder.rules, preprocessor.rules
and sensitive-data.rules. Surely there must be more to Snort's anomaly
detection than these 4 files :) (dependencies, et al.) Where do I
start looking?

Start looking there and at the normalizer (see the README/manual).


If you think something should be added, please let us know.

Thanks


On Wed, Jul 25, 2012 at 8:19 PM, Russ Combs <rcombs () sourcefire com> wrote:

Snort signatures include decoder and preprocessor alerts which are

primarily

how anomalous traffic is detected.  Check the preproc_rules/ directory in
the tarball.

On Wed, Jul 25, 2012 at 8:58 AM, Pratik Narang <

pratik.cse.bits () gmail com>

wrote:


Hi all,

I have been playing around with Snort for a while now. I am beginning to
wonder that apart from its Signatures being its biggest strength, what

else

are the things on which Snort relies upon? Prima facie, the preprocessor
modules don't involve signatures- am I right here? Does Snort have an
Anomaly engine?? If not, i would be interested in knowing how all the
network stuff which cannot be detected via signatures (or you may say

that I

do not wish to use signatures) can be detected with Snort?

Thanks...

------------------------------------------------------------------------------

Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond.

Discussions

will include endpoint security, mobile security and the latest in

malware

threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort's modules Pratik Narang (Jul 25)
- Re: Snort's modules Joel Esler (Jul 25)
- Re: Snort's modules Russ Combs (Jul 25)
  - Re: Snort's modules Pratik Narang (Jul 27)
    - Re: Snort's modules Russ Combs (Jul 27)
- <Possible follow-ups>
- Snort's modules Pratik Narang (Jul 25)