[Snort-users] [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor

Matt Jonkman jonkman at ...4024...
Thu Dec 18 15:37:45 EST 2008


Frank Knobbe wrote:
> 
> No no, I mean, reviewing the alerts generated by inbound TOR sigs and
> checking if there are SQL injection or other attacks that the regular
> didn't alert on

Ahh ya. That's a very good idea. What I've been doing out of curiousity
so far is grepping my apache logs for the IPs that trip tor exit nodes
but nothing else, and so far they're all very obvious bad stuff. Looking
for apps that don't exist, pass change forms, rfi's etc.

Will look closer and see where we can tune rules to make sure there are
hits where appropriate.

Good idea frank!

Mat


> 
> -Frank
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...14333...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc






More information about the Snort-users mailing list