[Snort-users] Snort as an anomalous behavior IDS
Jason.Haar at ...294...
Fri Apr 2 16:34:27 EDT 2010
On 04/03/2010 08:21 AM, Willst Mail wrote:
> Sounds like you did what I want to do. Let's say outbound HTTP is
> fine but anything else is bad, would your ruleset look something like:
I'm not sure what you're wanting to use it for, but for us it was about
picking up *successful* compromises of our DMZ servers. ie. someone
attacks a server, breaks in and the first thing they normally do is
download a toolkit - the rules are to pick up those events. They may use
HTTP to download that toolkit - so whitelisting all HTTP would mean you
won't detect the event.
We whitelist specific download types - i.e. downloading from Sophos
webservers is OK, connecting to http://22.214.171.124/ is not. Takes some work
to get right - but it's worth it.
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-users