[Snort-users] Snort as an anomalous behavior IDS

Jason Haar Jason.Haar at ...294...
Fri Apr 2 16:34:27 EDT 2010

On 04/03/2010 08:21 AM, Willst Mail wrote:
> Jason,
> Sounds like you did what I want to do.  Let's say outbound HTTP is
> fine but anything else is bad, would your ruleset look something like:

I'm not sure what you're wanting to use it for, but for us it was about
picking up *successful* compromises of our DMZ servers. ie. someone
attacks a server, breaks in and the first thing they normally do is
download a toolkit - the rules are to pick up those events. They may use
HTTP to download that toolkit - so whitelisting all HTTP would mean you
won't detect the event.

We whitelist specific download types  - i.e. downloading from Sophos
webservers is OK, connecting to is not. Takes some work
to get right - but it's worth it.


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list