Unknown Traffic
An Unknown Traffic alert signifies that a potentially unusual event has been detected, but further investigation is required. Similar to the Not Suspicious Traffic genre of alerts, you should take the context in which these alerts are generated to determine the appropriate action. The following rule generates alerts when a Web server denies access to a requesting party. This familiar alert occurs when a person attempts to access a resource that he is not permitted to access, or any number of other access control violations.
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Connection Closed MSG from Port 80"; content:"Connection closed by foreign host"; nocase; flow:from_server,established; classtype:unknown;)
Get Intrusion Detection with Snort now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
