[Snort-users] General suspicious traffic detection

twig les twigles at ...131...
Wed Sep 4 13:46:02 EDT 2002


I've thought a little about it.  All I've considered
doing is having two snort processes running, each with
their own snort.conf.  I already have a custom.rules
file, so I would just make another one for the second
process.



--- James Bly <jbly at ...6784...> wrote:
> Has anyone given any thought to ways to define
> through snort, a list of
> authorized protocols on a particular interface, so
> that any other protocols
> appearing on the wire would trigger alerts?
> Essentially defining and
> "authorized port" policy.
>  
> Granted some protocols would require protocol
> interpretation to avoid false
> positives (like FTP, Streaming Video, etc) but my
> consideration is for wires
> where all ports can be defined. (i.e. such and such
> wire should only see
> nntp, ssh, and telnet)
>  
> Thoughts are greatly appreciated,
> -James
> 


=====
-----------------------------------------------------------
Heavy metal made me do it.                        
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com




More information about the Snort-users mailing list