rules ?

[Charles Ballowe <hangman-snort () steelballs org>]

I see alot of generic IIS exploits sweep across the webservers that
I have snort watching. I don't 100% trust the Windows admins to have 
their boxen patched against such things, but everything currently there
is patched.

Is there any way to have a rule also check for the response? I only really
care about that traffic if i see a successful attack.

Also - is there a way to make snort log the stream, rather than just the
packet it found the attack in? Preferably something that integrates with
ACID?

any suggestions?
-charlie


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users