[Snort-users] Can snort be smarter?

Jason Haar Jason.Haar at ...294...
Mon Jul 1 16:29:19 EDT 2002


On Mon, Jul 01, 2002 at 03:01:14PM -0700, Kevin Brown wrote:
>  Why not set up the rules yourself to only trigger when they go after your
> IIS servers or apache servers?  Define a few more variables in your
> snort.conf file to cover IIS servers or apache or whatever app, then in the
> rules use that definition to replace the default.

...because that actually requires me to know what's on my networks :-)

Unfortunately, I don't have that level of control over all the networks I
want to run IDSes on. :-(

...although it may be worth scripting for - a little bit of nmap and nc
could go a long way... Hmmmmm

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-users mailing list