[Snort-users] Zombie detection rules

Alberto Colosi alcol at ...125...
Thu Feb 16 04:00:38 EST 2017


Hi another approach ............. are not firewalls ?


I can't believe all is open , zombie is a wide kind of possible activity and is not so easy as can be imagined.


firewalls and uncommon authorized port usage for example during the night but not only .............. . All other kind of traffic will be dropped by firewalls and this kind of log is important too.


a SIEM can perform this kind of check in automatic if not you'll have to create some scripts to inspect log files.



Alberto Colosi

IT Security & NetWork



________________________________
From: Paul Li <paul at ...17768...>
Sent: Thursday, February 16, 2017 5:32 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Zombie detection rules

Is there any snort rule for zombies detection: to detect if the devices snort is monitoring are used as zombies. Or some rules that can detect large outgress traffic from a monitored device would also work.

Thanks,
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170216/21b80aae/attachment.html>


More information about the Snort-users mailing list