Snort mailing list archives

Re: RE: Network Behaviour Anomoly Detection

From: security () jonbaer net
Date: Wed, 30 Jun 2004 08:23:15 -0400

I personally dont think you should overload Snort w/ the job of what other applications should be 
accomplishing.  It just doesn't make sense.  The probe stuff is already handled ...

The area in which I think you refer to and I had tried to implement was more in regards to application 
error handling ... for example if you place a MySQL server into a production environment you have a 
strict policy that certain errors should "just not happen" once it is there.  Login attempts, SQL out of 
bounds, response flags, things of that nature.  You can take one application and "wrap" Snort around it 
if you are good with rules, so the idea is some type of Snort Application Policy Creator or something.  

This would obviously adhere to items such as buffer overflows but Snort already handles pretty much 
common items being handed off over open ports anyways.  I think this really falls more into "Advanced 
Snort Tuning" just with better or easier tools for management.  I have not seen RNA/SF stuff but Im sure 
some type of that methodology applies with the product somewhere.

- Jon

On Sat, Jun 26, 2004 at 02:02:43PM +0100, pieter claassen wrote:

alert tcp any any -> $WEBSERVERS any (msg:"Somebody is probing our
servers" ; anomaly:"ports > 20/min" )
 - A match would indicate a quantitative increase in connections to more
than 20/min to a webserver


-- 
pgp key: http://www.jonbaer.net/jonbaer.asc
fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Network Behaviour Anomoly Detection crayola (Jun 23)
- Re: Network Behaviour Anomoly Detection Jon Baer (Jun 23)
  - RE: Network Behaviour Anomoly Detection Michael Cunningham (Jun 23)
    - RE: RE: Network Behaviour Anomoly Detection Jerry Shenk (Jun 24)
    - Re: RE: Network Behaviour Anomoly Detection security (Jun 24)
    - Re: RE: Network Behaviour Anomoly Detection Martin Roesch (Jun 24)
    - Re: RE: Network Behaviour Anomoly Detection pieter claassen (Jun 26)
    - Re: RE: Network Behaviour Anomoly Detection security (Jun 30)
- <Possible follow-ups>
- RE: RE: Network Behaviour Anomoly Detection hugh_fraser (Jun 30)