|
-
June 26th, 2007, 08:54 PM
#1
 writing Snort rules
I'm learning to write snort rules. Wow, some are really straight forward, and some are "out there."
It occurred to me that Snort is really busy -- after going through some of the thousands of signatures. (yes, I know, don't run the ones you don't have to.)
Is anyone aware of efforts to setup a rule-set that will monitor traffic that your network is *supposed* to be doing -- and flag on anything that it sees out of the ordinary? Kinda like a “reverse application” of the filtering scheme. It seems to me, that rather than looking for the possible thousands of signatures, hoping you have one to detect the event, it might be easier to ignore the allowed traffic and flag on any unusual stuff -- like the dude trying to run the SSH shell through port 80, or IRC on an “un-authorized” port.
How would you go about writing such a rule that says "this SSH traffic on this box is OK, flag all others" ?
This may be a good way to help detect covert channels – or a good way to fill your logs with a billion false-positives…
Just a thought...
Similar Threads
-
By phishphreek in forum IDS & Scanner Discussions
Replies: 0
Last Post: April 10th, 2006, 07:23 PM
-
By phishphreek in forum Spyware / Adware
Replies: 2
Last Post: November 16th, 2005, 09:28 PM
-
By qod in forum The Security Tutorials Forum
Replies: 6
Last Post: February 27th, 2004, 03:03 AM
-
By qod in forum The Security Tutorials Forum
Replies: 3
Last Post: January 25th, 2004, 11:47 PM
-
By vescovono in forum IDS & Scanner Discussions
Replies: 1
Last Post: April 17th, 2003, 10:50 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote