[Snort-sigs] problem writing rules for checking traffic and c ontent

Eric Baur Eric.Baur at ...1794...
Mon Aug 18 13:59:06 EDT 2003


	My solution has been to manage two (or more) rulesets and run
multiple copies of snort.  For example, I would have one listening for
attacks on eth0 and one listening for unauthorized access on eth0:0.  You
can even have them log to the same database so the data shows in the same
logs.  (You can then look at the summary statistics for the sensors to see
how many of each type you're logging.)
	This would be difficult if you had to maintain quite a few of
them... I basically have three.  One for attacks, one for SQL traffic and
one for "testing" (that I put rules in temporarily to do things like what
you're talking about).

Eric

-----Original Message-----
From: studentmm08.pool-id at ...1755...
[mailto:studentmm08.pool-id at ...1755...] 
Sent: Monday, August 18, 2003 5:38 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] problem writing rules for checking traffic and content


i have a little problem with the rule detection in snort. 
i know that snort uses a fast exit strategy. once matched, the packet
isn't checked against another rule by snort.

my scenario is a very big company net with lots of subnets.
(45 server, 200 clients, lots of develompent nets)

my task is to check source and destination of all traffic,
and on the other site the content of all traffic.





More information about the Snort-sigs mailing list