Snort mailing list archives
Re: How's best to alert on Web connections that *don't* contain particular content?
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 26 Feb 2003 11:30:42 -0600
On Tue, 2003-02-25 at 16:18, Jason Haar wrote:
Yeah - but the problem with those sorts of rules is that you end up skipping the rest of the IDS rules too. This rule needs to be at the top so that it triggers before any "normal" rule can get at it. (that's because any match is a "pagable" event vs just a standard alert: you should know you're compromised if one of these trigger).
I think PASSing them with Trendmicro's IP address in the pass rule seems very reasonable since you still analyze everything else. I would tweak/pass it as part of the tuning process. Let the alert fire and check the details (like IP address for Trend's servers) and construct your pass rules with that. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Kenneth G. Arnold (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Phil Wood (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Frank Knobbe (Feb 26)
- Re: How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Brian (Feb 26)
- Re: How's best to alert on Web connections that *don't* contain particular content? Martin Roesch (Feb 26)
- <Possible follow-ups>
- RE: How's best to alert on Web connections that *don't* contain particular content? Schmehl, Paul L (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Kenneth G. Arnold (Feb 25)