[Snort-users] Future or presently developed question
cmg at ...671...
Mon Nov 5 07:25:02 EST 2001
"Sean Wheeler" <S.Wheeler at ...2876...> writes:
> With the current webserver attack frenzy we have experienced, I am seeing
> literally thousands of entries in my logs 99% of which are irrelevant.
> If I am asking a question which has been asked before please refrain from
> the fames and rather point me in the direction I am looking for.
> Is it possible now or in future to analyse response returned by the server,
> and then have snort decide whether it is worth logging the alert or not ?
Most of this is a IDS postprocessing problem for lots of us. We *want*
to see where is trying things and what thy are trying. Providing
enough functionality to prioritize them internally though would be an
> for example a CodeRed II access to the backdoor dos shell, if the
> server returns a 404 not found, could snort not report the IDS alert
> in this case ?
attack-responses.rules:alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any
(msg:"ATTACK RESPONSES http dir listing"; content: "Volume Serial
Number"; flags: A+; classtype:bad-unknown; sid:1292; rev:1;)
Covers the case where you were successfully attacked by nimda.
Perhaps something can be done w/ streams for snort 2.0....
> I am not asking for a million scenarios, but inparticular a function
> for just the 404 example, which would reduce the alerts by probably
> 99 %.
> If this feature does exist are there any "Heads Up" you have in using this
> and where would I find documentation specificly on implementing this feature
> I look forward to your constructive responses :)
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Chris Green <cmg at ...671...>
To err is human, to moo bovine.
More information about the Snort-users