Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Content scanning

From: Thomas Novin <thnov () thalamus se>
Date: Wed, 05 Dec 2001 14:07:13 +0100
Hi all.
As always, I want to do the opposite of what snort is intended to do. On a 3-4 subnets, all clients has got static ips but aren't allowed to have any open ports. We log this by logging all connections from these subnets with the flags SYN+ACK set. There are a few exceptions however, a few clients that pays extra to run mailserver at home.
The allowed ports for these users are: 21 (FTP), 25 (SMTP), 80 (WWW), 110 (POP3), 143(IMAP). I want to check wheter it's really POP traffic on port 110, web traffic on port 80 and so on.
Is there any content patterns already written that does this? I've checked all the included rulesets but those (ofcourse) only triggers when someone is trying to do something "bad". 

Regards,

Thomas.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: