[Snort-devel] what about anti-rules and whatnot?

Brian Caswell bmc at ...227...
Sun Apr 1 17:16:46 EDT 2001


Todd Lewis wrote:
> 
> Ok, so I'm reading the assigned numbers RFC, and the though occurs to me,
> what about anomolous event detection strategies?  E.g., you may want to
> express the following thought in a snort configuration:
> 
>         I have already specified snort rules for the ICMP types which I
>         expect to cross my network.  Any ICMP types not otherwise matched,
>         I want them captured so that I can send them off to SecureWorks
>         for examination.
> 
> This experience got me thinking: what are some wierd snort rules that
> people would like to be able to express but can't under the present
> system?

Andrew B. from farm9 did a talk on doing just that usinv variable rule
types at CanSecWest.  Hopefully he will put up his talk somewhere...
hint-hint.

-brian




More information about the Snort-devel mailing list