Snort mailing list archives
Re: Making snort smarter...
From: Paul Schmehl <pauls () utdallas edu>
Date: Mon, 28 Apr 2003 17:03:14 -0500
For the specific example you give I think it would be entirely appropriate to create a var called "$IIS_SERVERS" and then put all the *other* webservers under $HTTP_SERVERS. I've suggested this before, and I'd love to see it implemented in the rules, because IIS is a beast unto itself.
I too get irritated by the many IIS alerts for Apache servers. (We also have both.)
Other than that one anomaly, I'm not sure what you have in mind. I can't think of another alert that is so consistently "abused".
--On Monday, April 28, 2003 02:47:36 PM -0700 Tobias Rice <rice () up edu> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was just thinking about what would make snort better/smarter and was curious how hard it would be to associate certain services/servers with sigs just for those services/servers. Not unlike defining $vars in the snort.conf, but much more robust. Maybe even a target flag in the rules themselves? For example, I'm just sick of seeing IIS alerts for my Apache servers, but having IIS boxes too, so I can't turn it off. I know that you can use BPF's and other filters to accomplish this, but in a large company it can really be time consuming to hone all of the rules, filters, yada yada. It would just be more efficient to define all of your services/servers once and it just ignore all irrelevant alerts if so desired, even when rules are added or updated. Any thoughts?
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Making snort smarter... Tobias Rice (Apr 28)
- Re: Making snort smarter... Paul Schmehl (Apr 28)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Paul Schmehl (Apr 29)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Paul Schmehl (Apr 28)
- <Possible follow-ups>
- RE: Making snort smarter... bmcdowell (Apr 29)
- RE: Making snort smarter... Paul Schmehl (Apr 29)
- Re: Making snort smarter... Jason (Apr 29)
- RE: Making snort smarter... Paul Schmehl (Apr 29)
- RE: Making snort smarter... bmcdowell (Apr 29)
- RE: Making snort smarter... Paul Schmehl (Apr 29)
- Re: Making snort smarter... JP Vossen (Apr 29)