[Snort-users] Snort as an anomalous behavior IDS

Willst Mail willstmail at ...11827...
Wed Mar 31 18:32:42 EDT 2010


Hello,
I have a network segment for which I can actually nicely define what
is considered "good" traffic - unusual for a large network, but
apparently possible!  I could probably describe the traffic with the
equivalent of about 15-20 Snort rules.  Unfortunately it's not a
segment where we can use a firewall or router ACLs to actually
restrict traffic to this known-good set, but we still want to know
when traffic deviates from known good.  What I'd like to be able to do
is alert on anything that DOESN'T match the 15-20 rules defining good.
 Any recommendations for how to do this?  Is it as simple having a
ruleset with the good rules, and a final rule that matches (any any ->
any any)?




More information about the Snort-users mailing list