[Snort-users] General suspicious traffic detection
jbly at ...6784...
Wed Sep 4 10:57:03 EDT 2002
Has anyone given any thought to ways to define through snort, a list of
authorized protocols on a particular interface, so that any other protocols
appearing on the wire would trigger alerts? Essentially defining and
"authorized port" policy.
Granted some protocols would require protocol interpretation to avoid false
positives (like FTP, Streaming Video, etc) but my consideration is for wires
where all ports can be defined. (i.e. such and such wire should only see
nntp, ssh, and telnet)
Thoughts are greatly appreciated,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users