[Snort-users] logging abnormal traffic

Paul Melson pmelson at ...11827...
Wed Jan 16 07:14:26 EST 2008


On Jan 16, 2008 5:30 AM, Wim Fournier <hsmade at ...11827...> wrote:
> Hi all,
>
> I'm a newbie on this product, so please excuse me for asking stupid
> questions ;o)
>
> I want to monitor traffic to a our web servers. The traffic is very
> well and easy defined. A definition would look like:
>
> client requests /some/dir/file?param=value&param2=value2&....etc
> Server responds with 200 OK and a GIF picture or a 302
>
> Now I want to log anything that does not match this, as in web
> requests that don't match this pattern and other requests than GET.
> Is there an easy way to do this? Like first defining the accepted
> traffic and logging anything else?
>
> Thanks for any clues, pointers, whatever

If you can easily define appropriate traffic to your webserver with a
couple of regex expressions, then you could write some pass rules for
the known-good pcre patterns and then write an alert rule that matched
on any connection to the web server.  This should result in only
things that don't match your pattern being alerted on by Snort.

More on rules here:
http://www.snort.org/docs/snort_htmanuals/htmanual_280/node163.html

PaulM




More information about the Snort-users mailing list