[Snort-users] Snort as an anomalous behavior IDS

Jason Haar Jason.Haar at ...294...
Fri Apr 2 07:09:47 EDT 2010

On 04/01/2010 11:32 AM, Willst Mail wrote:
> Is it as simple having a
> ruleset with the good rules, and a final rule that matches (any any ->
> any any)?
We use snort to monitor DMZes that way. Unlike real networks, DMZes are
meant to contain hosts that have specific roles, and don't have users
logged in running Skype/etc. i.e their traffic flows are predictable. In
particular, they shouldn't initiate outbound connections beyond the
expected AV updates, Windows/YUM updates/etc.

Then we created pass rules that  allow such things, and trigger alerts
on the rest. On our network, DMZ alerts are really quiet for ages - and
then some SysAdmin will forget where they are and go and read their
Gmail or something - and we get an alert - soon followed by a "sorry!
it's me!" - that proves it's working :-)

However, FTP is your enemy - no easy way to write "pass" rules for FTP.
I've got HTTP "pass" rules to allow connections to hosts containing
"uricontent:/repos/", or whitelist particular User-Agents - but you
can't say "allow curl to ftp files"


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list