|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: RE: [Snort-users] One for the Wishlist
From: Dragos Ruiu (dr
dursec.com)Date: Fri Aug 25 2000 - 13:59:13 CDT
- Next message: A.L.Lambert: "Re: [Snort-users] One for the Wishlist"
- Previous message: Daniel van Balen: "Re: [Snort-users] nmap TCP ping"
- In reply to: Steve Halligan: "RE: [Snort-users] One for the Wishlist"
- Next in thread: A.L.Lambert: "RE: [Snort-users] One for the Wishlist"
- Next in thread: Dan Hollis: "Re: [Snort-users] One for the Wishlist"
- Reply: Dragos Ruiu: "RE: [Snort-users] One for the Wishlist"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
There is nothing that needs to be added to snort to enble this.
Just pick a convention (i.e. a number at the beginning of the message
indicating severity) and edit your rules file to change the messages
output string for that rule to include your convention. Then
postprocess to your heart's content. Ah, the beauty of open
source...
How's that for rapid implementation of new features. :-)
cheers,
--dr
On Fri, 25 Aug 2000, Steve Halligan wrote:
>
> That is exactly my point. A log parser (or database query in my case)
> can't assign a severity to an event unless you assign the severity to events
> in the parser script. This would mean re-writing the parser for every rule
> addition. If the parser can just look at the log and see "Severity=5" it
> makes it much easier to code the parser.
>
> -----Original Message-----
> From: Ed Padin [mailto:epadinwagweb.com]
> Sent: Friday, August 25, 2000 10:59 AM
> To: Snort-Users (E-mail)
> Subject: RE: [Snort-users] One for the Wishlist
>
>
> These sound like a nice features but I wonder if they would be better suited
> to a log parser rather than snort itself.
>
> -----Original Message-----
> From: Steve Halligan [mailto:agent33geeksquad.com]
> Sent: Friday, August 25, 2000 11:03 AM
> To: Snort-Users (E-mail)
> Subject: [Snort-users] One for the Wishlist
>
>
>
> I know this has been mentioned before, but I would like to see the ability
> to assign a severity level to a rule. For example a PING-ICMP_TIME_EXCEEDED
> my be a severity=1 while an FTP-badlogin may be a 3 and a DDoS-shaft handler
> to agent may be a 5. I know that this is somewhat subjective, but once the
> rules have been modified to minimize false positives in your environment,
> this could really aid tuning flex response and automated nastygram response
> (tm). It would also give us the ability to flag a potential attacker. For
> example traffic from a.b.c.d triggers a rule with a severity=5, all traffic
> from this ip will be logged for X amount of time. We can also automagically
> add him to a "watch list" and pay special attention to events from him even
> after X amount of time has expired.
>
> -Steve
>
>
----------------------------------------
Content-Type: text/html; name="unnamed"
Content-Transfer-Encoding: 7bit
Content-Description:
----------------------------------------
-- dursec.com ltd. / kyx.net - we're from the future pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D pgp key: http://www.dursec.com/drkey.asc _______________________________________________ Snort-users mailing list Snort-users
- Next message: A.L.Lambert: "Re: [Snort-users] One for the Wishlist"
- Previous message: Daniel van Balen: "Re: [Snort-users] nmap TCP ping"
- In reply to: Steve Halligan: "RE: [Snort-users] One for the Wishlist"
- Next in thread: A.L.Lambert: "RE: [Snort-users] One for the Wishlist"
- Next in thread: Dan Hollis: "Re: [Snort-users] One for the Wishlist"
- Reply: Dragos Ruiu: "RE: [Snort-users] One for the Wishlist"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]