[Snort-users] General suspicious traffic detection

Erek Adams erek at ...577...
Wed Sep 4 11:05:02 EDT 2002


On Wed, 4 Sep 2002, James Bly wrote:

> Has anyone given any thought to ways to define through snort, a list of
> authorized protocols on a particular interface, so that any other protocols
> appearing on the wire would trigger alerts? Essentially defining and
> "authorized port" policy.
>
> Granted some protocols would require protocol interpretation to avoid false
> positives (like FTP, Streaming Video, etc) but my consideration is for wires
> where all ports can be defined. (i.e. such and such wire should only see
> nntp, ssh, and telnet)
>
> Thoughts are greatly appreciated,

Ask and ye shall recieve.



More information about the Snort-users mailing list