[Snort-users] Can snort be smarter?
Jason.Haar at ...294...
Mon Jul 1 14:46:14 EDT 2002
There's a thread over in Security-Focus-IDS ("Crying wolf:") where people
are bemoaning the amount of false-positives that IDSes generate.
One thing missing from Snort would be the ability for it to recognise the
difference between (say) a CodeRed attempt against an IIS and an Apache
With stateful packet reassembly, would it be possible to match on the return
packets in the same rule? e.g.
content: "/script.exe?"; content: "Server: Microsoft-IIS"
That way you'd only get an alert on application-specific attacks when
they're against that particular application.
I realise that some would still want to know about ALL attacks - but that
could be dealt with by the above rule being an "alert", followed by the
same rule without the "Server: Microsoft-IIS" bit being a "log".
Apparently this is a feature NFR has.
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-users