Re: Making snort smarter...

[Paul Schmehl <pauls () utdallas edu>]

Sure, I could do that, and then I'd have to cron it so that after 
oinkmaster replaces the rules they get fixed again.

Wouldn't it be simpler to just incorporate this as a change to the ruleset? 
That way it's fixed for everyone.

--On Tuesday, April 29, 2003 09:03:50 PM +1200 Jason Haar 
<Jason.Haar () trimble co nz> wrote:

> Paul Schmehl wrote:
> > For the specific example you give I think it would be entirely
> > appropriate to create a var called "$IIS_SERVERS" and then put all the
> > *other* webservers under $HTTP_SERVERS.  I've suggested this before, and
> > I'd love to see it implemented in the rules, because IIS is a beast unto
> > itself.
>
> Good idea - but as all IIS rules are within web-iis.rules, why not just
> script a rewrite?
>
> echo "var IIS_SERVERS [1.2.3.4/32,2.3.4.1/32]"
> sed 's/HTTP_SERVERS/IIS_SERVERS/g' web-iis.rules
>
>
> Jason
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users