[Snort-devel] Wishlist?

Matías Bevilacqua matias at ...590...
Fri Aug 10 05:46:54 EDT 2001


Hi everybody!
To begin with don't flame me if this is SOT but I just can't find any better
place to drop this into.
Last night I began writing a new sp_ plugin for Snort called TF (Time
Frame). It was the first time I wrote a plugin for Snort and was very
surprised at how easy and yet powerfull those plugins can be.
The idea is the following:
 
Syntax: TF:
[<DAY:hour_begin/hour_end><DAY:hour_begin/hour_end><DAY:hour_begin/hour_end>
...]
 
Let's just drop an example:
 
alert tcp $HOME_NET any -> any 80 (msg: "Glups! something's wrong here!";
TF: "Sa:15:00/24:00 Su:00:00/24:00 Mo:00:00/08:00")
 
The idea here is the following... It's perfectly right to have WEB traffic
on my network, but I know that on Saturday the office closes at 15:00 and
doesn't open up until Monday 8:00... thus theoretically there should be no
"legal" web traffic in that Time Frame. [Yup, I now about scheduled http
downloads and all sort's of things which could fire this rule, take it just
as an example ok?]
 
As I said before I began writing an sp_TF plugin and got it working. The
problem is that when I finally understood how plugins work in Snort I
discovered that implementing TF as a plugin was VERY ineficient! :(
I thought about creating some cool scripts which could change dynamicaly
snort rules and scheduling it in cron but it seemed a bit too "cranky"
That's why I'm writing this here now... maybe someone will integrate this
into Snort someday!
 
Actually it would be sort of similar to DYNAMIC rules but fired based on
time, not on traffic.
 
Just my 2c.
Mat.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20010810/33ce7cbf/attachment.html>


More information about the Snort-devel mailing list