[Snort-users] General suspicious traffic detection

twig les twigles at ...131...
Wed Sep 4 13:46:02 EDT 2002

I've thought a little about it.  All I've considered
doing is having two snort processes running, each with
their own snort.conf.  I already have a custom.rules
file, so I would just make another one for the second

--- James Bly <jbly at ...6784...> wrote:
> Has anyone given any thought to ways to define
> through snort, a list of
> authorized protocols on a particular interface, so
> that any other protocols
> appearing on the wire would trigger alerts?
> Essentially defining and
> "authorized port" policy.
> Granted some protocols would require protocol
> interpretation to avoid false
> positives (like FTP, Streaming Video, etc) but my
> consideration is for wires
> where all ports can be defined. (i.e. such and such
> wire should only see
> nntp, ssh, and telnet)
> Thoughts are greatly appreciated,
> -James

Heavy metal made me do it.                        

Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes

More information about the Snort-users mailing list