[Snort-users] Making snort smarter...

Paul Schmehl pauls at ...6838...
Mon Apr 28 15:04:17 EDT 2003


For the specific example you give I think it would be entirely appropriate 
to create a var called "$IIS_SERVERS" and then put all the *other* 
webservers under $HTTP_SERVERS.  I've suggested this before, and I'd love 
to see it implemented in the rules, because IIS is a beast unto itself.

I too get irritated by the many IIS alerts for Apache servers.  (We also 
have both.)

Other than that one anomaly, I'm not sure what you have in mind.  I can't 
think of another alert that is so consistently "abused".

--On Monday, April 28, 2003 02:47:36 PM -0700 Tobias Rice <rice at ...7669...> 
wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I was just thinking about what would make snort better/smarter and was
> curious how hard it would be to associate certain services/servers with
> sigs just for those services/servers. Not unlike defining $vars in the
> snort.conf, but much more robust. Maybe even a target flag in the rules
> themselves? For example, I'm just sick of seeing IIS alerts for my Apache
> servers, but having IIS boxes too, so I can't turn it off. I know that
> you can use BPF's and other filters to accomplish this, but in a large
> company it can really be time consuming to hone all of the rules,
> filters, yada yada. It would just be more efficient to define all of your
> services/servers once and it just ignore all irrelevant alerts if so
> desired, even when rules are added or updated. Any thoughts?

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-users mailing list