[Snort-users] General suspicious traffic detection
erek at ...577...
Wed Sep 4 11:05:02 EDT 2002
On Wed, 4 Sep 2002, James Bly wrote:
> Has anyone given any thought to ways to define through snort, a list of
> authorized protocols on a particular interface, so that any other protocols
> appearing on the wire would trigger alerts? Essentially defining and
> "authorized port" policy.
> Granted some protocols would require protocol interpretation to avoid false
> positives (like FTP, Streaming Video, etc) but my consideration is for wires
> where all ports can be defined. (i.e. such and such wire should only see
> nntp, ssh, and telnet)
> Thoughts are greatly appreciated,
Ask and ye shall recieve.
More information about the Snort-users