Snort mailing list archives
snort rule application
From: Bruce Rosenthal <bsr3635 () gmail com>
Date: Fri, 4 Sep 2015 22:59:18 -0400
Interested in anyone who has implemented the following snort approach. This approach is focused on deploying snort in passive “detection” mode only - i.e. traffic is alerted on but not dropped or rejected. 1. configure a set of rules that alert on packets that are verified as “good” patterns. have these rules log to a specific log file defined in the rules comprising this “good traffic” set for further analysis described below. logging is done using the logto attribute 2. also configure snort rules in the more traditional approach to alert on malicious signatures. include in this “bad” set of rules the logto attribute to log to a different “bad traffic” log. 3. log all the traffic that is being monitored by snort to a “all traffic” log. 4. have the snort sensors configured this way forward the “good” and “bad” alert-driven logs to a data analytics application that will also receive the “all traffic” set. 5. then, perform an analysis of these three sets that takes the differential of the “good” and the “bad” from the total to arrive at a residual set of traffic that doesn’t fit either the good or the bad set. Purpose of the approach: to conduct further analysis of the residual set in order to disposition the residual into either the “good” or the “bad” as part of an on-going snort tuning process. Interested in anything being done like this or similar variant. ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- snort rule application Bruce Rosenthal (Sep 04)
- Re: snort rule application Joel Esler (jesler) (Sep 05)