[Snort-users] Zombie detection rules
alcol at ...125...
Thu Feb 16 04:00:38 EST 2017
Hi another approach ............. are not firewalls ?
I can't believe all is open , zombie is a wide kind of possible activity and is not so easy as can be imagined.
firewalls and uncommon authorized port usage for example during the night but not only .............. . All other kind of traffic will be dropped by firewalls and this kind of log is important too.
a SIEM can perform this kind of check in automatic if not you'll have to create some scripts to inspect log files.
IT Security & NetWork
From: Paul Li <paul at ...17768...>
Sent: Thursday, February 16, 2017 5:32 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Zombie detection rules
Is there any snort rule for zombies detection: to detect if the devices snort is monitoring are used as zombies. Or some rules that can detect large outgress traffic from a monitored device would also work.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users