[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] =?iso-8859-1?q?ET_POLICY_TLS/SSL_Encrypted_Applic?=
From: thierry.chich () ac-clermont ! fr (Thierry CHICH)
Date: 2008-02-06 13:23:07
Message-ID: 200802061423.07896.thierry.chich () ac-clermont ! fr
[Download RAW message or body]
Le mercredi 06 f?vrier 2008, Jack Pepper a ?crit :
> Quoting Thierry CHICH <thierry.chich at ac-clermont.fr>:
> > Is there somebody that have found a way to see if traffic that trigger
> > that alert is edonkey or not ? I have a lot of alerts, and it is boring
> > me to just let all this p2p traffic pass?and do nothing.
>
> In cases where I have confirmed the P2P usage, the defining feature
> was that one inside address was hitting those rules on dozens of
> outside addrs.
>
> one inside addr --> one outside addr [ not p2p, but something else ]
>
> one inside addr --> lots of outside addrs [ p2p or malware infection ]
>
It is perfectly true. However, since I would use flexresp in order to calm
down the traffic, I need to have it in some kind of rule. And I can't figure
how to do that. Is it a way you can imagine ?
Or is it a feature that is planified in a future release of snort ?
--
Thierry CHICH
Equipe R?seaux / Rectorat de Clermont-Ferrand
Tel: +33 4 73 99 30 54
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic