Snort mailing list archives
Re: Making snort smarter...
From: JP Vossen <vossenjp () netaxs com>
Date: Tue, 29 Apr 2003 20:05:47 -0400 (EDT)
Message: 6 Date: Wed, 30 Apr 2003 09:31:23 +1200 From: Jason Haar <Jason.Haar () trimble co nz> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Making snort smarter... Organization: Trimble Navigation New Zealand Ltd.
<snip>
Well maybe for the web-iis.rules - but your question really leads on to the more general question of "I have extensive knowledge of my network, and want to make snort only apply the right tests to the right hosts". The only way to do that is by you hand-crafting it (or a tool to "learn" the network and craft the rules to match - hmmmmm....) Some of the commercial IDS's do that. Something like parsing the output of a Nessus scan and creating IIS_SERVERS, APACHE_SERVERS, NFS_SERVERS, etc from that could be quite doable...
Lucid Security's ipANGEL (commercial product) does *exactly* that--reads a Check Point FW-1 policy, does a Nessus vuln. scan targeted for hosts and services in the policy, then tunes the Snort rules accordingly. http://www.lucidsecurity.com/products.php (I'm not associated with them, but I have friends that work there.) Later, JP ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp () jpsdomain org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- "The software said it requires Windows 98 or better, so I installed Linux..." ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Making snort smarter..., (continued)
- Re: Making snort smarter... Paul Schmehl (Apr 28)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Paul Schmehl (Apr 29)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Paul Schmehl (Apr 28)
- RE: Making snort smarter... bmcdowell (Apr 29)
- RE: Making snort smarter... Paul Schmehl (Apr 29)
- Re: Making snort smarter... Jason (Apr 29)
- RE: Making snort smarter... Paul Schmehl (Apr 29)
- RE: Making snort smarter... bmcdowell (Apr 29)
- RE: Making snort smarter... Paul Schmehl (Apr 29)
- Re: Making snort smarter... JP Vossen (Apr 29)