[Snort-users] Future or presently developed question

Sean Wheeler S.Wheeler at ...2876...
Mon Nov 5 07:08:03 EST 2001


Hi,

With the current webserver attack frenzy we have experienced, I am seeing
literally thousands of entries in my logs 99% of which are irrelevant.

If I am asking a question which has been asked before please refrain from
the fames and rather point me in the direction I am looking for.

Is it possible now or in future to analyse response returned by the server,
and then have snort decide whether it is worth logging the alert or not ?
 for example a CodeRed II access to the backdoor dos shell, if the server
returns a 404 not found, could snort not report the IDS alert in this case ?
I am not asking for a million scenarios, but inparticular a function for
just the 404 example, which would reduce the alerts by probably 99 %.

If this feature does exist are there any "Heads Up" you have in using this
and where would I find documentation specificly on implementing this feature
?

I look forward to your constructive responses :)

regards
Sean





More information about the Snort-users mailing list