[Snort-users] logging abnormal traffic

Wim Fournier hsmade at ...11827...
Wed Jan 16 08:57:16 EST 2008


Thanks for your thoughts on this. I'll give that a try ;o)

Wim

On Jan 16, 2008 1:14 PM, Paul Melson <pmelson at ...11827...> wrote:
>
> On Jan 16, 2008 5:30 AM, Wim Fournier <hsmade at ...11827...> wrote:
> > Hi all,
> >
> > I'm a newbie on this product, so please excuse me for asking stupid
> > questions ;o)
> >
> > I want to monitor traffic to a our web servers. The traffic is very
> > well and easy defined. A definition would look like:
> >
> > client requests /some/dir/file?param=value&param2=value2&....etc
> > Server responds with 200 OK and a GIF picture or a 302
> >
> > Now I want to log anything that does not match this, as in web
> > requests that don't match this pattern and other requests than GET.
> > Is there an easy way to do this? Like first defining the accepted
> > traffic and logging anything else?
> >
> > Thanks for any clues, pointers, whatever
>
> If you can easily define appropriate traffic to your webserver with a
> couple of regex expressions, then you could write some pass rules for
> the known-good pcre patterns and then write an alert rule that matched
> on any connection to the web server.  This should result in only
> things that don't match your pattern being alerted on by Snort.
>
> More on rules here:
> http://www.snort.org/docs/snort_htmanuals/htmanual_280/node163.html
>
> PaulM
>




More information about the Snort-users mailing list