Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Content scanning

From: Chris Green <cmg () uab edu>
Date: Wed, 05 Dec 2001 08:20:14 -0600
Thomas Novin <thnov () thalamus se> writes:


The allowed ports for these users are: 21 (FTP), 25 (SMTP), 80 (WWW),
110 (POP3), 143(IMAP). I want to check wheter it's really POP traffic
on port 110, web traffic on port 80 and so on.

Is there any content patterns already written that does this? I've
checked all the included rulesets but those (ofcourse) only triggers
when someone is trying to do something "bad".


Todo this, I believe you'd have to write a protocol analyzer as you
can't write a rule that will match content as all those protocols have
significant amounts of payloads data associated with them.

Then you could flag when that protocol was violated
-- 
Chris Green <cmg () uab edu>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: