Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Making snort smarter...

From: "Tobias Rice" <rice () up edu>
Date: Mon, 28 Apr 2003 14:47:36 -0700
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I was just thinking about what would make snort better/smarter and was curious how hard it would be to associate 
certain services/servers with sigs just for those services/servers. Not unlike defining $vars in the snort.conf, but 
much more robust. Maybe even a target flag in the rules themselves? For example, I'm just sick of seeing IIS alerts for 
my Apache servers, but having IIS boxes too, so I can't turn it off. I know that you can use BPF's and other filters to 
accomplish this, but in a large company it can really be time consuming to hone all of the rules, filters, yada yada. 
It would just be more efficient to define all of your services/servers once and it just ignore all irrelevant alerts if 
so desired, even when rules are added or updated. Any thoughts?

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPq2heMNinOuDXR1bEQL54wCeO6v+sgO0TTnFTD12zfP+X0nq+RUAoKyp
WXbDXT3GysFkgBRM0Ywl7R+t
=Ehqi
-----END PGP SIGNATURE-----



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: