Snort mailing list archives
Re: How's best to alert on Web connections that *don't* contain particular content?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Fri, 28 Feb 2003 16:53:28 +1300
On Wed, Feb 26, 2003 at 09:26:37PM -0500, Martin Roesch wrote:
Do you just want to look for outbound SYN packets from your DMZ? Seems like that might do a nice job of picking up a system that gets compromised.
Yup: that's the idea :-)
Additionally, if you only have a few server ports you can just write a set of pass rules to ignore traffic on the ports that you know will be used.
Yup to that too: I'm basically doing: alert tcp $TRIMBLE_DMZES_NETS any -> !$VALID_REMOTE_NETWORKS :24 alert tcp $TRIMBLE_DMZES_NETS any -> !$VALID_REMOTE_NETWORKS 26:79 alert tcp $TRIMBLE_DMZES_NETS any -> !$VALID_REMOTE_NETWORKS 80 alert tcp $TRIMBLE_DMZES_NETS any -> !$VALID_REMOTE_NETWORKS 81:1023 alert tcp $TRIMBLE_DMZES_NETS !20 -> !$VALID_REMOTE_NETWORKS 1024: i.e. ignore SMTP and treat Web special - that's the one where I need to allow outgoing Trend HTTP commands, but alert on anything else (not to a valid remote network - like redhat.com/windowsupdate/etc). I think I've got it sussed now. Changing from the broken regex to distance: has done the trick, I don't get any alerts unless I manually make one of the DMZ hosts do something it shouldn't :-) This sort of thing has a future I feel. Instead of all the HUGE number of alerts any IDS will give you, this allows you to see the successful ones. I'm setting swatch up to page me on these rules only - although I don't expect to be woken up :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Kenneth G. Arnold (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Phil Wood (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Frank Knobbe (Feb 26)
- Re: How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Brian (Feb 26)
- Re: How's best to alert on Web connections that *don't* contain particular content? Martin Roesch (Feb 26)
- Re: How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 27)
- <Possible follow-ups>
- RE: How's best to alert on Web connections that *don't* contain particular content? Schmehl, Paul L (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Kenneth G. Arnold (Feb 25)