[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] =?iso-8859-1?q?ET_POLICY_TLS/SSL_Encrypted_Applic?=
From:       thierry.chich () ac-clermont ! fr (Thierry CHICH)
Date:       2008-02-06 13:23:07
Message-ID: 200802061423.07896.thierry.chich () ac-clermont ! fr
[Download RAW message or body]

Le mercredi 06 f?vrier 2008, Jack Pepper a ?crit :
> Quoting Thierry CHICH <thierry.chich at ac-clermont.fr>:
> > Is there somebody that have found a way to see if traffic that trigger
> > that alert is edonkey or not ? I have a lot of alerts, and it is boring
> > me to just let all this p2p traffic pass?and do nothing.
>
> In cases where I have confirmed the P2P usage, the defining feature
> was that one inside address was hitting those rules on dozens of
> outside addrs.
>
> one inside addr -->  one outside addr  [ not p2p, but something else ]
>
> one inside addr -->  lots of outside addrs [ p2p or malware infection ]
>

It is perfectly true. However, since I would use flexresp in order to calm 
down the traffic, I need to have it in some kind of rule. And I can't figure 
how to do that. Is it a way you can imagine ?
Or is it a feature that is planified in a future release of snort ?




-- 
Thierry CHICH
Equipe R?seaux / Rectorat de Clermont-Ferrand
Tel: +33 4 73 99 30 54

[prev in list] [next in list] [prev in thread] [next in thread]