Re: Making snort smarter...

[JP Vossen <vossenjp () netaxs com>]

> Message: 6
> Date: Wed, 30 Apr 2003 09:31:23 +1200
> From: Jason Haar <Jason.Haar () trimble co nz>
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Making snort smarter...
> Organization: Trimble Navigation New Zealand Ltd.

<snip>

> Well maybe for the web-iis.rules - but your question really leads on to the
> more general question of "I have extensive knowledge of my network, and want
> to make snort only apply the right tests to the right hosts". The only way
> to do that is by you hand-crafting it (or a tool to "learn" the network and
> craft the rules to match - hmmmmm....) Some of the commercial IDS's do that.
>
> Something like parsing the output of a Nessus scan and creating IIS_SERVERS,
> APACHE_SERVERS, NFS_SERVERS, etc from that could be quite doable...

Lucid Security's ipANGEL (commercial product) does *exactly* that--reads a
Check Point FW-1 policy, does a Nessus vuln. scan targeted for hosts and
services in the policy, then tunes the Snort rules accordingly.

http://www.lucidsecurity.com/products.php

(I'm not associated with them, but I have friends that work there.)

Later,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp () jpsdomain org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows 98 or better, so I installed
Linux..."



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users