[Snort-users] Making snort smarter...

Paul Schmehl pauls at ...6838...
Mon Apr 28 15:04:17 EDT 2003

For the specific example you give I think it would be entirely appropriate 
to create a var called "$IIS_SERVERS" and then put all the *other* 
webservers under $HTTP_SERVERS.  I've suggested this before, and I'd love 
to see it implemented in the rules, because IIS is a beast unto itself.

I too get irritated by the many IIS alerts for Apache servers.  (We also 
have both.)

Other than that one anomaly, I'm not sure what you have in mind.  I can't 
think of another alert that is so consistently "abused".

--On Monday, April 28, 2003 02:47:36 PM -0700 Tobias Rice <rice at ...7669...> 

> Hash: SHA1
> I was just thinking about what would make snort better/smarter and was
> curious how hard it would be to associate certain services/servers with
> sigs just for those services/servers. Not unlike defining $vars in the
> snort.conf, but much more robust. Maybe even a target flag in the rules
> themselves? For example, I'm just sick of seeing IIS alerts for my Apache
> servers, but having IIS boxes too, so I can't turn it off. I know that
> you can use BPF's and other filters to accomplish this, but in a large
> company it can really be time consuming to hone all of the rules,
> filters, yada yada. It would just be more efficient to define all of your
> services/servers once and it just ignore all irrelevant alerts if so
> desired, even when rules are added or updated. Any thoughts?

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-users mailing list