[Snort-users] Rule set for non-intrusive events?

Eoin Miller eoin.miller at ...14586...
Wed Jan 9 12:09:41 EST 2013


On 1/9/2013 16:47, Steve Marotta wrote:
> Has anyone ever developed and published a Snort rule set that reports normal, non-intrusive, high-level events? Something like, SSH login, MySQL transaction, HTTP response, that sort of thing. I realize that's not quite in the domain for which Snort was intended, but it's technically possible and seems like someone that at least one other person out there has wanted to do. Or maybe not. Do any of you know if something like that is available?

Usually what the server logs are for. Those will be much more accurate
than IDS. There is an INFO ruleset, but it is geared more towards
helping create logging for forensics/post compromise of drive by
kits/infects rather than for immediate review:

http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-info.rules

-- Eoin





More information about the Snort-users mailing list