Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort as an anomalous behavior IDS

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Sat, 03 Apr 2010 09:34:27 +1300
On 04/03/2010 08:21 AM, Willst Mail wrote:

Jason,
Sounds like you did what I want to do.  Let's say outbound HTTP is
fine but anything else is bad, would your ruleset look something like:

  


I'm not sure what you're wanting to use it for, but for us it was about
picking up *successful* compromises of our DMZ servers. ie. someone
attacks a server, breaks in and the first thing they normally do is
download a toolkit - the rules are to pick up those events. They may use
HTTP to download that toolkit - so whitelisting all HTTP would mean you
won't detect the event.

We whitelist specific download types  - i.e. downloading from Sophos
webservers is OK, connecting to http://1.2.3.4/ is not. Takes some work
to get right - but it's worth it.


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: