Snort as an anomalous behavior IDS

[Willst Mail <willstmail () gmail com>]

Hello,
I have a network segment for which I can actually nicely define what
is considered "good" traffic - unusual for a large network, but
apparently possible!  I could probably describe the traffic with the
equivalent of about 15-20 Snort rules.  Unfortunately it's not a
segment where we can use a firewall or router ACLs to actually
restrict traffic to this known-good set, but we still want to know
when traffic deviates from known good.  What I'd like to be able to do
is alert on anything that DOESN'T match the 15-20 rules defining good.
 Any recommendations for how to do this?  Is it as simple having a
ruleset with the good rules, and a final rule that matches (any any ->
any any)?

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users