[Snort-sigs] sigs to catch response traffic

Steven Sturges steve.sturges at ...435...
Mon Jul 18 06:18:34 EDT 2005


Stream4 does identify the client & server directions, however by
default it only does reassembly on the client side (for specific
configured ports).

As Matt mentions, having rules that look at server side traffic --
especially HTTP -- would cause snort to take a pretty significant
performance hit.  Flowbits might help with that a little bit, though.

Cheers.
-steve

> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net 
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of 
> Matt Jonkman
> Sent: Sunday, July 17, 2005 10:25 PM
> To: Russell Fulton
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] sigs to catch response traffic
> 
> You could do that with flowbits, but it'd probably be a good 
> load on snort.
> 
> Worth looking into though.
> 
> Are you looking to know just about the error after a known 
> attack, or about all errors or non-error returns?
> 
> matt
> 
> Russell Fulton wrote:
> > Hi, does stream4 collect both directions of a flow?  I.e. is it 
> > possible to have a set of signatures that tags a flow 
> (standard http 
> > attack) and then watched for a 200 response from the web server.
> > 
> > I assume that the answer is no otherwise we would be diong 
> this as a 
> > matter of routine.
> > 
> > It long ago got to the stage where I ignore the flood of altert 
> > generated by people poking at our web servers.  The fact that some 
> > poked at our web server is of no interest at all.  The fact that 
> > someone poked at the web server and the server did not 
> return an error is of interest.
> > 
> > Perhaps this could be built into a preprocessor that returns the 
> > status on an http connections.
> > 
> > Russell
> > 
> > 
> > -------------------------------------------------------
> > SF.Net email is sponsored by: Discover Easy Linux Migration 
> Strategies 
> > from IBM. Find simple to follow Roadmaps, straightforward articles, 
> > informative Webcasts and more! Get everything you need to get up to 
> > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> --
> --------------------------------------------
> Matthew Jonkman, CISSP
> Senior Security Engineer
> Infotex
> 765-429-0398 Direct Anytime
> 765-448-6847 Office
> 866-679-5177 24x7 NOC
> my.infotex.com
> www.offsitefilter.com
> www.bleedingsnort.com
> --------------------------------------------
> 
> 
> NOTICE: The information contained in this email is confidential
> and intended solely for the intended recipient. Any use,
> distribution, transmittal or retransmittal of information
> contained in this email by persons who are not intended
> recipients may be a violation of law and is strictly prohibited.
> If you are not the intended recipient, please contact the sender
> and delete all copies.
> 
> 
> 
> 





More information about the Snort-sigs mailing list