[Snort-devel] New feature wanted: Locate the bad guy?

Gianni Tedesco gianni at ...1804...
Fri Jul 4 03:29:05 EDT 2003


On Mon, 2003-06-23 at 10:57, Martin Olsson wrote:
> One could exchange this with labels indicating the type of the packet:
> Q = This is a queary
> R = This is a response
> A = Any of the two

I kinda like using the direction arrow for it, so the first address is
always bad guy.

$EXTERNAL_NET -> $HOME_NET

would work for most things. Then for sigs like 'id check returns root'
the rule is:

$EXTERNAL_NET <- $HOME_NET

and bi-directional rules <> as you say are special case...

-- 
// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D






More information about the Snort-devel mailing list