vanjarelaygroup.com

• Next message: Mullen, Patrick: "RE: [snort] PortScan Detector"
• Previous message: dbrez: "Re: [snort] Dynamic Rules?"
• In reply to: David Klotz: "[snort] Dynamic Rules?"
• Next in thread: Martin Roesch: "Re: [snort] Dynamic Rules?"
• Reply: Vanja Hrustic: "Re: [snort] Dynamic Rules?"
• Reply: Martin Roesch: "Re: [snort] Dynamic Rules?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Klotz wrote:
> result of a break-in. What would really have been helpful at that point
> would have been the ability to start logging _all_ telnet traffic between
> our internal host and the suspect external one, and maybe even add a few
> more alerts that were specific to the suspect host. I've looked through the

David,

I wanted to make (which means: "I never did" :) a simple perl script
that would monitor the logs and when alert 'worth recording' occurs,
script would just invoke tcpdump (or snort), record the traffic for XY
minutes/seconds, and then terminate the tcpdump.

Now... the reson why I never actually did it is because I realized that
along with snort rules, I would need another set of rules for that
script (so that script knows what to do for which alert).

It would be a nightmare for maintenance (at that point, you basically
have 2 IDSs to maintain, not only 1 ;), but it might work as a temporary
solution. Until Marty integrates it into Snort ;))

-- 
Vanja Hrustic
The Relay Group
http://relaygroup.com
Technology Ahead of Time

• Next message: Mullen, Patrick: "RE: [snort] PortScan Detector"
• Previous message: dbrez: "Re: [snort] Dynamic Rules?"
• In reply to: David Klotz: "[snort] Dynamic Rules?"
• Next in thread: Martin Roesch: "Re: [snort] Dynamic Rules?"
• Reply: Vanja Hrustic: "Re: [snort] Dynamic Rules?"
• Reply: Martin Roesch: "Re: [snort] Dynamic Rules?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]