Snort mailing list archives
Re: Snort as an anomalous behavior IDS
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Sat, 03 Apr 2010 09:34:27 +1300
On 04/03/2010 08:21 AM, Willst Mail wrote:
Jason, Sounds like you did what I want to do. Let's say outbound HTTP is fine but anything else is bad, would your ruleset look something like:
I'm not sure what you're wanting to use it for, but for us it was about picking up *successful* compromises of our DMZ servers. ie. someone attacks a server, breaks in and the first thing they normally do is download a toolkit - the rules are to pick up those events. They may use HTTP to download that toolkit - so whitelisting all HTTP would mean you won't detect the event. We whitelist specific download types - i.e. downloading from Sophos webservers is OK, connecting to http://1.2.3.4/ is not. Takes some work to get right - but it's worth it. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort as an anomalous behavior IDS Jason Haar (Apr 02)
- <Possible follow-ups>
- Re: Snort as an anomalous behavior IDS Willst Mail (Apr 02)
- Re: Snort as an anomalous behavior IDS Joel Esler (Apr 02)
- Re: Snort as an anomalous behavior IDS Paul Schmehl (Apr 02)
- Re: Snort as an anomalous behavior IDS Jason Haar (Apr 02)
- Re: Snort as an anomalous behavior IDS Joel Esler (Apr 02)