Snort mailing list archives
Re: How's best to alert on Web connections that *don't* contain particular content?
From: Phil Wood <cpw () lanl gov>
Date: Tue, 25 Feb 2003 16:53:49 -0700
You could use two instances of snort one with a bpf filter that just does your trendmicro traffic (and have possibly a different snort.conf for the rules you want checked), and a bpf filter which is "not" the above. with your vanilla snort.conf. I've got multiple snorts running on one linux box. All you need is memory and a fast cpu. Use the '-R <id>' option to differentiate between the two instances. For example, I'm running 4 instances: # ls /var/run/*snort* /var/run/snort_eth2-bg.pid /var/run/snort_eth2-gv.pid /var/run/snort_eth2-by.pid /var/run/snort_eth2-mm.pid (notice the 'bg|by|gv|mm', shows up in acid as a unique snorter too.) Later, On Wed, Feb 26, 2003 at 11:18:16AM +1300, Jason Haar wrote:
On Tue, Feb 25, 2003 at 04:04:09PM -0600, Kenneth G. Arnold wrote:You could write an alert to catch all port 80 connections but write a pass rule that would be processed first that lets the Trendmicro traffic be ignored.Yeah - but the problem with those sorts of rules is that you end up skipping the rest of the IDS rules too. This rule needs to be at the top so that it triggers before any "normal" rule can get at it. (that's because any match is a "pagable" event vs just a standard alert: you should know you're compromised if one of these trigger). -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Kenneth G. Arnold (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Phil Wood (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Frank Knobbe (Feb 26)
- Re: How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Brian (Feb 26)
- Re: How's best to alert on Web connections that *don't* contain particular content? Martin Roesch (Feb 26)
- <Possible follow-ups>
- RE: How's best to alert on Web connections that *don't* contain particular content? Schmehl, Paul L (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Kenneth G. Arnold (Feb 25)