[Snort-users] Making snort smarter...

JP Vossen vossenjp at ...8683...
Tue Apr 29 17:10:28 EDT 2003


> Message: 6
> Date: Wed, 30 Apr 2003 09:31:23 +1200
> From: Jason Haar <Jason.Haar at ...294...>
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Making snort smarter...
> Organization: Trimble Navigation New Zealand Ltd.

<snip>

> Well maybe for the web-iis.rules - but your question really leads on to the
> more general question of "I have extensive knowledge of my network, and want
> to make snort only apply the right tests to the right hosts". The only way
> to do that is by you hand-crafting it (or a tool to "learn" the network and
> craft the rules to match - hmmmmm....) Some of the commercial IDS's do that.
>
> Something like parsing the output of a Nessus scan and creating IIS_SERVERS,
> APACHE_SERVERS, NFS_SERVERS, etc from that could be quite doable...

Lucid Security's ipANGEL (commercial product) does *exactly* that--reads a
Check Point FW-1 policy, does a Nessus vuln. scan targeted for hosts and
services in the policy, then tunes the Snort rules accordingly.

http://www.lucidsecurity.com/products.php

(I'm not associated with them, but I have friends that work there.)

Later,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp at ...8684...
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows 98 or better, so I installed
Linux..."





More information about the Snort-users mailing list