[Snort-sigs] Not sure on the best way to do this

McCammon, Keith Keith.McCammon at ...647...
Wed Jun 26 14:53:01 EDT 2002

Write pass rules for the traffic that you know to be valid, and then create an alert (or log) rule to capture all traffic:

alert ip any any -> $HOME_NET any

You can obviously do this in any direction that suits your needs, but most folks are looking for inbound.  

Then, just start Snort with the -o option, so that the pass rules are processed first.  Anything left over will be logged.



-----Original Message-----
From: Ian Macdonald [mailto:secsnortsigs at ...644...]
Sent: Wednesday, June 26, 2002 7:08 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Not sure on the best way to do this

I have a network segment that I am monitoring. This slightly different
from most for the segments I monitor. here I know exaclty what is allowed
by IP address and port and I would like to report any exceptions to the these
allowed ip/port combinations.

Any thoughts on the best way to do this in snort?


This sf.net email is sponsored by: Jabber Inc.
Don't miss the IM event of the season | Special offer for OSDN members! 
JabberConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list