Snort mailing list archives
Snort as an anomalous behavior IDS
From: Willst Mail <willstmail () gmail com>
Date: Wed, 31 Mar 2010 18:32:42 -0400
Hello, I have a network segment for which I can actually nicely define what is considered "good" traffic - unusual for a large network, but apparently possible! I could probably describe the traffic with the equivalent of about 15-20 Snort rules. Unfortunately it's not a segment where we can use a firewall or router ACLs to actually restrict traffic to this known-good set, but we still want to know when traffic deviates from known good. What I'd like to be able to do is alert on anything that DOESN'T match the 15-20 rules defining good. Any recommendations for how to do this? Is it as simple having a ruleset with the good rules, and a final rule that matches (any any -> any any)? ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort as an anomalous behavior IDS Willst Mail (Mar 31)