[Snort-users] Making snort smarter...

JP Vossen vossenjp at ...8683...
Tue Apr 29 17:10:28 EDT 2003

> Message: 6
> Date: Wed, 30 Apr 2003 09:31:23 +1200
> From: Jason Haar <Jason.Haar at ...294...>
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Making snort smarter...
> Organization: Trimble Navigation New Zealand Ltd.


> Well maybe for the web-iis.rules - but your question really leads on to the
> more general question of "I have extensive knowledge of my network, and want
> to make snort only apply the right tests to the right hosts". The only way
> to do that is by you hand-crafting it (or a tool to "learn" the network and
> craft the rules to match - hmmmmm....) Some of the commercial IDS's do that.
> Something like parsing the output of a Nessus scan and creating IIS_SERVERS,
> APACHE_SERVERS, NFS_SERVERS, etc from that could be quite doable...

Lucid Security's ipANGEL (commercial product) does *exactly* that--reads a
Check Point FW-1 policy, does a Nessus vuln. scan targeted for hosts and
services in the policy, then tunes the Snort rules accordingly.


(I'm not associated with them, but I have friends that work there.)

JP Vossen, CISSP              |:::======|                jp at ...8684...
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
"The software said it requires Windows 98 or better, so I installed

More information about the Snort-users mailing list