Re: Making snort smarter...

[Jason Haar <Jason.Haar () trimble co nz>]

On Tue, Apr 29, 2003 at 09:49:24AM -0500, Paul Schmehl wrote:
> Sure, I could do that, and then I'd have to cron it so that after 
> oinkmaster replaces the rules they get fixed again.
>
> Wouldn't it be simpler to just incorporate this as a change to the ruleset? 
> That way it's fixed for everyone.

Well maybe for the web-iis.rules - but your question really leads on to the
more general question of "I have extensive knowledge of my network, and want
to make snort only apply the right tests to the right hosts". The only way
to do that is by you hand-crafting it (or a tool to "learn" the network and
craft the rules to match - hmmmmm....) Some of the commercial IDS's do that.

Something like parsing the output of a Nessus scan and creating IIS_SERVERS,
APACHE_SERVERS, NFS_SERVERS, etc from that could be quite doable...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users