[Snort-users] Zombie detection rules

Alberto Colosi alcol at ...125...
Thu Feb 16 04:00:38 EST 2017

Hi another approach ............. are not firewalls ?

I can't believe all is open , zombie is a wide kind of possible activity and is not so easy as can be imagined.

firewalls and uncommon authorized port usage for example during the night but not only .............. . All other kind of traffic will be dropped by firewalls and this kind of log is important too.

a SIEM can perform this kind of check in automatic if not you'll have to create some scripts to inspect log files.

Alberto Colosi

IT Security & NetWork

From: Paul Li <paul at ...17768...>
Sent: Thursday, February 16, 2017 5:32 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Zombie detection rules

Is there any snort rule for zombies detection: to detect if the devices snort is monitoring are used as zombies. Or some rules that can detect large outgress traffic from a monitored device would also work.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170216/21b80aae/attachment.html>

More information about the Snort-users mailing list