[Snort-users] Can snort be smarter?

Kevin Brown Kevin.M.Brown at ...1022...
Mon Jul 1 15:04:51 EDT 2002


 Why not set up the rules yourself to only trigger when they go after your
IIS servers or apache servers?  Define a few more variables in your
snort.conf file to cover IIS servers or apache or whatever app, then in the
rules use that definition to replace the default.

var IISSERVER [IPs]
var APACHESERVER [IPs]

etc...

-----Original Message-----
From: Jason Haar
To: snort-users at lists.sourceforge.net
Sent: 7/1/02 2:43 PM
Subject: [Snort-users] Can snort be smarter?

There's a thread over in Security-Focus-IDS ("Crying wolf:") where
people
are bemoaning the amount of false-positives that IDSes generate. 

One thing missing from Snort would be the ability for it to recognise
the
difference between (say) a CodeRed attempt against an IIS and an Apache
server.

With stateful packet reassembly, would it be possible to match on the
return
packets in the same rule? e.g.

content: "/script.exe?"; content: "Server: Microsoft-IIS"

That way you'd only get an alert on application-specific attacks when
they're against that particular application.

I realise that some would still want to know about ALL attacks - but
that
could be dealt with by  the above rule being an "alert", followed by the
same rule without the "Server: Microsoft-IIS" bit being a "log".

Apparently this is a feature NFR has.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020701/5f37991d/attachment.html>


More information about the Snort-users mailing list