Snort mailing list archives
Re: RE: Network Behaviour Anomoly Detection
From: security () jonbaer net
Date: Wed, 30 Jun 2004 08:23:15 -0400
I personally dont think you should overload Snort w/ the job of what other applications should be accomplishing. It just doesn't make sense. The probe stuff is already handled ... The area in which I think you refer to and I had tried to implement was more in regards to application error handling ... for example if you place a MySQL server into a production environment you have a strict policy that certain errors should "just not happen" once it is there. Login attempts, SQL out of bounds, response flags, things of that nature. You can take one application and "wrap" Snort around it if you are good with rules, so the idea is some type of Snort Application Policy Creator or something. This would obviously adhere to items such as buffer overflows but Snort already handles pretty much common items being handed off over open ports anyways. I think this really falls more into "Advanced Snort Tuning" just with better or easier tools for management. I have not seen RNA/SF stuff but Im sure some type of that methodology applies with the product somewhere. - Jon On Sat, Jun 26, 2004 at 02:02:43PM +0100, pieter claassen wrote:
alert tcp any any -> $WEBSERVERS any (msg:"Somebody is probing our servers" ; anomaly:"ports > 20/min" ) - A match would indicate a quantitative increase in connections to more than 20/min to a webserver
-- pgp key: http://www.jonbaer.net/jonbaer.asc fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47 ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Network Behaviour Anomoly Detection crayola (Jun 23)
- Re: Network Behaviour Anomoly Detection Jon Baer (Jun 23)
- RE: Network Behaviour Anomoly Detection Michael Cunningham (Jun 23)
- RE: RE: Network Behaviour Anomoly Detection Jerry Shenk (Jun 24)
- Re: RE: Network Behaviour Anomoly Detection security (Jun 24)
- Re: RE: Network Behaviour Anomoly Detection Martin Roesch (Jun 24)
- Re: RE: Network Behaviour Anomoly Detection pieter claassen (Jun 26)
- Re: RE: Network Behaviour Anomoly Detection security (Jun 30)
- RE: Network Behaviour Anomoly Detection Michael Cunningham (Jun 23)
- Re: Network Behaviour Anomoly Detection Jon Baer (Jun 23)
- <Possible follow-ups>
- RE: RE: Network Behaviour Anomoly Detection hugh_fraser (Jun 30)