[Snort-devel] New Feature for Snort...

Jon B Anderson anderson at ...1359...
Mon May 6 20:20:02 EDT 2002


I don't know if this has been considered before but, for people who have
snort installed on a router computer, it would be nice to not log the web
traffic coming from the internal network.  As this shows up twice in both
the alert and the portscan.log files the ability to remove the logging of
this traffic would be really good.

I was thinking that maybe as a config in the config file or as a command
option for routers like '-R' for router.  Anyway.

I've added a line of code that essentially removes the traffic from the
log.
in the 1.8.6 distribution source, line 989.
the line:
if(currentSource->destinationsList->connectionsList->dport != 80)


in other words it looks like this:
if(currentSource->reportTime.tv_sec + maxTime.tv_sec < currTime.tv_sec)
                {
if(currentSource->destinationsList->connectionsList->dport != 80)
                    if(currentSource->numberOfConnections == 0)
                    {
                        /* Portscan stopped.  Clear flag. */

It should be fairly easy for anyone that understand the source better than
I.  about an hour to add the command line and link it to this option with
that code right there.

Anyway, I'm not sure what the implications of this one line of code would
be.  There probably needs to be more checking than this...  like maybe
checking that the sourceIP is the computers ip address too would be good.

Anyway, Keep up the good work.
Brad Anderson





More information about the Snort-devel mailing list