[Snort-users] Making snort smarter...
rice at ...7669...
Mon Apr 28 14:48:21 EDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
I was just thinking about what would make snort better/smarter and was curious how hard it would be to associate certain services/servers with sigs just for those services/servers. Not unlike defining $vars in the snort.conf, but much more robust. Maybe even a target flag in the rules themselves? For example, I'm just sick of seeing IIS alerts for my Apache servers, but having IIS boxes too, so I can't turn it off. I know that you can use BPF's and other filters to accomplish this, but in a large company it can really be time consuming to hone all of the rules, filters, yada yada. It would just be more efficient to define all of your services/servers once and it just ignore all irrelevant alerts if so desired, even when rules are added or updated. Any thoughts?
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
-----END PGP SIGNATURE-----
More information about the Snort-users