Snort mailing list archives
RE: Making snort smarter...
From: <bmcdowell () coxhealthplans com>
Date: Tue, 29 Apr 2003 10:49:20 -0500
Not that I couldn't just look and find out for myself, but: Are there any 'web' rules that you want alerting for IIS servers? Obviously the reverse is the issue, but would such a fix break anything else? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Paul Schmehl Sent: Tuesday, April 29, 2003 9:49 AM To: Jason Haar; snort-users () lists sourceforge net Subject: Re: [Snort-users] Making snort smarter... Sure, I could do that, and then I'd have to cron it so that after oinkmaster replaces the rules they get fixed again. Wouldn't it be simpler to just incorporate this as a change to the ruleset? That way it's fixed for everyone. --On Tuesday, April 29, 2003 09:03:50 PM +1200 Jason Haar <Jason.Haar () trimble co nz> wrote:
Paul Schmehl wrote:For the specific example you give I think it would be entirely appropriate to create a var called "$IIS_SERVERS" and then put all
the
*other* webservers under $HTTP_SERVERS. I've suggested this before,
and
I'd love to see it implemented in the rules, because IIS is a beast
unto
itself.Good idea - but as all IIS rules are within web-iis.rules, why not
just
script a rewrite? echo "var IIS_SERVERS [1.2.3.4/32,2.3.4.1/32]" sed 's/HTTP_SERVERS/IIS_SERVERS/g' web-iis.rules Jason ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Making snort smarter... Tobias Rice (Apr 28)
- Re: Making snort smarter... Paul Schmehl (Apr 28)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Paul Schmehl (Apr 29)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Jason Haar (Apr 29)
- Re: Making snort smarter... Paul Schmehl (Apr 28)
- <Possible follow-ups>
- RE: Making snort smarter... bmcdowell (Apr 29)
- RE: Making snort smarter... Paul Schmehl (Apr 29)
- Re: Making snort smarter... Jason (Apr 29)
- RE: Making snort smarter... Paul Schmehl (Apr 29)
- RE: Making snort smarter... bmcdowell (Apr 29)
- RE: Making snort smarter... Paul Schmehl (Apr 29)
- Re: Making snort smarter... JP Vossen (Apr 29)