Intrusion Detection with Snort

Not Suspicious Traffic

The Not Suspicious Traffic rule classification can be misleading. Rules that are categorized as Not Suspicious can be malicious and indicative of an intrusion. The nature of traffic that is defined as not suspicious is dependent on the situation in which it is discovered. Take the following successful Telnet access attempt rule:

alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any
(msg:"TELNET access"; flow:from_server,established;
content:"|FF FD 18 FF FD 1F FF FD 23 FF FD 27 FF FD 24|";
classtype:not-suspicious;)

This rule may be not be considered suspicious if Snort is monitoring an internal host that is managed via Telnet. In turn, an alert from this rule would be of great concern if Snort were monitoring hosts behind ...

Get Intrusion Detection with Snort now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Intrusion Detection with Snort by Jack Koziol

Not Suspicious Traffic

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly