Thanks for your thoughts on this. I'll give that a try ;o)
Wim
On Jan 16, 2008 1:14 PM, Paul Melson <pmelson@gmail.com> wrote:
On Jan 16, 2008 5:30 AM, Wim Fournier <hsmade@gmail.com> wrote:
Hi all,
I'm a newbie on this product, so please excuse me for asking stupid
questions ;o)
I want to monitor traffic to a our web servers. The traffic is very
well and easy defined. A definition would look like:
client requests /some/dir/file?param=value¶m2=value2&....etc
Server responds with 200 OK and a GIF picture or a 302
Now I want to log anything that does not match this, as in web
requests that don't match this pattern and other requests than GET.
Is there an easy way to do this? Like first defining the accepted
traffic and logging anything else?
Thanks for any clues, pointers, whatever
If you can easily define appropriate traffic to your webserver with a
couple of regex expressions, then you could write some pass rules for
the known-good pcre patterns and then write an alert rule that matched
on any connection to the web server. This should result in only
things that don't match your pattern being alerted on by Snort.
More on rules here:
http://www.snort.org/docs/snort_htmanuals/htmanual_280/node163.html
PaulM
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
