[Snort-users] (no subject)

Jim Burnes jburnes at ...75...
Thu Jul 20 14:40:19 EDT 2000


On Wed, 19 Jul 2000, Martin Roesch wrote:

> > (4) Be able to easily indicate a list of internal subnets which
> >     should be ignored if you see traffic flowing between them.
> >    (right now I have this implemented via a BPF pre-filter, but
> >    there must be a more elegant method.  The BPF filter gets a little
> >    complicated.)
> 
> Have you looked at using pass rules?  Try pass rules combined with the -o
> switch to do this sort of thing.  See http://www.snort.org/snort_rules.html
> for more info on writing rules....
> 

I will see if I can get a pass setup to do this elegantly.  Right now
the BPF filters are working OK, but it forces me to use only the
any<->any ruleset which creates lots of false positives.  In other
words seeing lots of SYNs from inside to outside could easily be
a web cache, but seeing them from outside to inside should send
up flags.

Another idea I had (and a good one I think) -- is to have every rule
have a trigger threshold.  This would give people an arbitrary way
to squelch down certain rules.  Somewhat like the portscan facility
has.

Are you going to Blackhat/DEFCON?

Thanks,

Jim Burnes






More information about the Snort-users mailing list