Snort mailing list archives

v2.1 config question

From: Rich Adamson <radamson () routers com>
Date: Tue, 16 Mar 2004 07:38:44 -0600


snort v2.1.1 monitoring an Internet Banking web server (port 80 and
443 only allowed through firewall)...

Is there a way to configure snort (by itself) to watch for a certain
url (that triggers the start of a 443 session), AND, watch for the
443 session startup from the same client source address, THEN, cause
an alert to be logged?

Simply looking for a way to log IP addresses of regular Internet Banking
users. Presumably over some period of time, a usage database could be
built that could be used to identify potential hacking attempts. (The
server is in a rather small rural setting where the users tend to be
coming from nearby IP addresses, and I fully undertand ISP IP addressing
issues.)

Thoughts?

Rich




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

v2.1 config question Rich Adamson (Mar 16)
- <Possible follow-ups>
- RE: v2.1 config question Dave Randolph (Mar 16)