Snort mailing list archives
Re: Content scanning
From: Chris Green <cmg () uab edu>
Date: Wed, 05 Dec 2001 08:20:14 -0600
Thomas Novin <thnov () thalamus se> writes:
The allowed ports for these users are: 21 (FTP), 25 (SMTP), 80 (WWW), 110 (POP3), 143(IMAP). I want to check wheter it's really POP traffic on port 110, web traffic on port 80 and so on. Is there any content patterns already written that does this? I've checked all the included rulesets but those (ofcourse) only triggers when someone is trying to do something "bad".
Todo this, I believe you'd have to write a protocol analyzer as you can't write a rule that will match content as all those protocols have significant amounts of payloads data associated with them. Then you could flag when that protocol was violated -- Chris Green <cmg () uab edu> I've had a perfectly wonderful evening. But this wasn't it. -- Groucho Marx _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Content scanning Thomas Novin (Dec 05)
- Re: Content scanning Chris Green (Dec 05)