[Emerging-Sigs] ET POLICY TLS/SSL Encrypted Application Data on Unusual Port
RPG
inittab at jtan.com
Wed Feb 6 08:42:52 EST 2008
Thierry CHICH wrote:
> Le mercredi 06 février 2008, Jack Pepper a écrit :
>> Quoting Thierry CHICH <thierry.chich at ac-clermont.fr>:
>>> Is there somebody that have found a way to see if traffic that trigger
>>> that alert is edonkey or not ? I have a lot of alerts, and it is boring
>>> me to just let all this p2p traffic pass¸and do nothing.
>> In cases where I have confirmed the P2P usage, the defining feature
>> was that one inside address was hitting those rules on dozens of
>> outside addrs.
>>
>> one inside addr --> one outside addr [ not p2p, but something else ]
>>
>> one inside addr --> lots of outside addrs [ p2p or malware infection ]
>>
>
> It is perfectly true. However, since I would use flexresp in order to calm
> down the traffic, I need to have it in some kind of rule. And I can't figure
> how to do that. Is it a way you can imagine ?
> Or is it a feature that is planified in a future release of snort ?
If you haven't already, I would suggest looking into Simple Event
Correlator (SEC). Here are some URL's that will give you an idea of
it's flexibility and power.
http://simple-evcorr.sourceforge.net/
http://www.bleedingthreats.net/sec/
http://sial.org/howto/logging/sec.pl/
More information about the Emerging-sigs
mailing list