Re: Rule set for non-intrusive events?

[Eoin Miller <eoin.miller () trojanedbinaries com>]

On 1/9/2013 16:47, Steve Marotta wrote:
> Has anyone ever developed and published a Snort rule set that reports normal, non-intrusive, high-level events? 
> Something like, SSH login, MySQL transaction, HTTP response, that sort of thing. I realize that's not quite in the 
> domain for which Snort was intended, but it's technically possible and seems like someone that at least one other 
> person out there has wanted to do. Or maybe not. Do any of you know if something like that is available?

Usually what the server logs are for. Those will be much more accurate
than IDS. There is an INFO ruleset, but it is geared more towards
helping create logging for forensics/post compromise of drive by
kits/infects rather than for immediate review:

http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/emerging-info.rules

-- Eoin


------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!