[Snort-sigs] sigs to catch response traffic

Matt Jonkman matt at ...2436...
Sun Jul 17 19:26:50 EDT 2005


You could do that with flowbits, but it'd probably be a good load on snort.

Worth looking into though.

Are you looking to know just about the error after a known attack, or
about all errors or non-error returns?

matt

Russell Fulton wrote:
> Hi, does stream4 collect both directions of a flow?  I.e. is it possible
> to have a set of signatures that tags a flow (standard http attack) and
> then watched for a 200 response from the web server.
> 
> I assume that the answer is no otherwise we would be diong this as a
> matter of routine.
> 
> It long ago got to the stage where I ignore the flood of altert
> generated by people poking at our web servers.  The fact that some poked
> at our web server is of no interest at all.  The fact that someone poked
> at the web server and the server did not return an error is of interest.
> 
> Perhaps this could be built into a preprocessor that returns the status
> on an http connections.
> 
> Russell
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list