OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [snort] Snort 1.7 projected features
From: Stephen Zedalis (tintypeexis.net)
Date: Thu Mar 30 2000 - 06:55:29 CST

On Wed, 29 Mar 2000, Andrew R. Baker wrote:

>
>Address sets - allow for a list of address entries in a rule
>Port sets - allow for a list of port entries in a rule
>Dynamic Rules - allows rules to be activated/deacitvated by other rules
>non-IP logging/alerting - allow rules for thins other than IP
>redesigned "logto" - incorporate user requests for this plugin
>ARP rules - support for ARP packets
>IP/netmask format - use things like "192.168.0.4 255.255.0.255" in
> rules
>
>There will also be an assortment of new plugins to go along with this. I
>will not say this is the complete list of new features and I do not claim
>all will get implemented, but this is the current direction.

Just a thought, how about wildcards for the flags check? For instance, if
I am looking for a ACK packets (and some content) but don't care about the
PSH or URG or DF flags. Right now, if I understand the docs correctly I
have to match the flags exactly or create another signature. While it
might be useful to specify all possible variants separately, it might be
useful to lump certain mutations of a basic attack together. Maybe the
flag could be specified with a character prefix that means "dont care"
similar to the ! character which normally stands for "not". Would that be
doable? Or maybe simple logical bit operators for the flags?

Stephen