[Snort-users] logging abnormal traffic
hsmade at ...11827...
Wed Jan 16 08:57:16 EST 2008
Thanks for your thoughts on this. I'll give that a try ;o)
On Jan 16, 2008 1:14 PM, Paul Melson <pmelson at ...11827...> wrote:
> On Jan 16, 2008 5:30 AM, Wim Fournier <hsmade at ...11827...> wrote:
> > Hi all,
> > I'm a newbie on this product, so please excuse me for asking stupid
> > questions ;o)
> > I want to monitor traffic to a our web servers. The traffic is very
> > well and easy defined. A definition would look like:
> > client requests /some/dir/file?param=value¶m2=value2&....etc
> > Server responds with 200 OK and a GIF picture or a 302
> > Now I want to log anything that does not match this, as in web
> > requests that don't match this pattern and other requests than GET.
> > Is there an easy way to do this? Like first defining the accepted
> > traffic and logging anything else?
> > Thanks for any clues, pointers, whatever
> If you can easily define appropriate traffic to your webserver with a
> couple of regex expressions, then you could write some pass rules for
> the known-good pcre patterns and then write an alert rule that matched
> on any connection to the web server. This should result in only
> things that don't match your pattern being alerted on by Snort.
> More on rules here:
More information about the Snort-users