Snort mailing list archives
Re: Future or presently developed question
From: Chris Green <cmg () uab edu>
Date: Mon, 05 Nov 2001 09:24:06 -0600
"Sean Wheeler" <S.Wheeler () netprotect ch> writes:
Hi, With the current webserver attack frenzy we have experienced, I am seeing literally thousands of entries in my logs 99% of which are irrelevant. If I am asking a question which has been asked before please refrain from the fames and rather point me in the direction I am looking for. Is it possible now or in future to analyse response returned by the server, and then have snort decide whether it is worth logging the alert or not ?
Most of this is a IDS postprocessing problem for lots of us. We *want* to see where is trying things and what thy are trying. Providing enough functionality to prioritize them internally though would be an interesting feature.
for example a CodeRed II access to the backdoor dos shell, if the server returns a 404 not found, could snort not report the IDS alert in this case ?
attack-responses.rules:alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES http dir listing"; content: "Volume Serial Number"; flags: A+; classtype:bad-unknown; sid:1292; rev:1;) Covers the case where you were successfully attacked by nimda. Perhaps something can be done w/ streams for snort 2.0....
I am not asking for a million scenarios, but inparticular a function for just the 404 example, which would reduce the alerts by probably 99 %. If this feature does exist are there any "Heads Up" you have in using this and where would I find documentation specificly on implementing this feature ? I look forward to your constructive responses :) regards Sean _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Chris Green <cmg () uab edu> To err is human, to moo bovine. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Future or presently developed question Sean Wheeler (Nov 05)
- Re: Future or presently developed question Chris Green (Nov 05)