Snort mailing list archives
Content scanning
From: Thomas Novin <thnov () thalamus se>
Date: Wed, 05 Dec 2001 14:07:13 +0100
Hi all.As always, I want to do the opposite of what snort is intended to do. On a 3-4 subnets, all clients has got static ips but aren't allowed to have any open ports. We log this by logging all connections from these subnets with the flags SYN+ACK set. There are a few exceptions however, a few clients that pays extra to run mailserver at home.
The allowed ports for these users are: 21 (FTP), 25 (SMTP), 80 (WWW), 110 (POP3), 143(IMAP). I want to check wheter it's really POP traffic on port 110, web traffic on port 80 and so on.
Is there any content patterns already written that does this? I've checked all the included rulesets but those (ofcourse) only triggers when someone is trying to do something "bad".
Regards, Thomas. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Content scanning Thomas Novin (Dec 05)
- Re: Content scanning Chris Green (Dec 05)