[Snort-devel] what about anti-rules and whatnot?
bmc at ...227...
Sun Apr 1 17:16:46 EDT 2001
Todd Lewis wrote:
> Ok, so I'm reading the assigned numbers RFC, and the though occurs to me,
> what about anomolous event detection strategies? E.g., you may want to
> express the following thought in a snort configuration:
> I have already specified snort rules for the ICMP types which I
> expect to cross my network. Any ICMP types not otherwise matched,
> I want them captured so that I can send them off to SecureWorks
> for examination.
> This experience got me thinking: what are some wierd snort rules that
> people would like to be able to express but can't under the present
Andrew B. from farm9 did a talk on doing just that usinv variable rule
types at CanSecWest. Hopefully he will put up his talk somewhere...
More information about the Snort-devel