snort-users January 2008 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] logging abnormal traffic

Re: [Snort-users] logging abnormal traffic

From: Wim Fournier <hsmade_at_nospam>
Date: Wed Jan 16 2008 - 13:57:16 GMT
To: "Paul Melson" <pmelson@gmail.com>


Thanks for your thoughts on this. I'll give that a try ;o)

Wim

On Jan 16, 2008 1:14 PM, Paul Melson <pmelson@gmail.com> wrote:
>
> On Jan 16, 2008 5:30 AM, Wim Fournier <hsmade@gmail.com> wrote:
> > Hi all,
> >
> > I'm a newbie on this product, so please excuse me for asking stupid
> > questions ;o)
> >
> > I want to monitor traffic to a our web servers. The traffic is very
> > well and easy defined. A definition would look like:
> >
> > client requests /some/dir/file?param=value&param2=value2&....etc
> > Server responds with 200 OK and a GIF picture or a 302
> >
> > Now I want to log anything that does not match this, as in web
> > requests that don't match this pattern and other requests than GET.
> > Is there an easy way to do this? Like first defining the accepted
> > traffic and logging anything else?
> >
> > Thanks for any clues, pointers, whatever
>
> If you can easily define appropriate traffic to your webserver with a
> couple of regex expressions, then you could write some pass rules for
> the known-good pcre patterns and then write an alert rule that matched
> on any connection to the web server. This should result in only
> things that don't match your pattern being alerted on by Snort.
>
> More on rules here:
> http://www.snort.org/docs/snort_htmanuals/htmanual_280/node163.html
>
> PaulM
>



This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users