[Snort-devel] New feature wanted: Locate the bad guy?
elof at ...969...
Mon Jul 7 05:12:24 EDT 2003
On 4 Jul 2003, Gianni Tedesco wrote:
> On Mon, 2003-06-23 at 10:57, Martin Olsson wrote:
> > One could exchange this with labels indicating the type of the packet:
> > Q = This is a queary
> > R = This is a response
> > A = Any of the two
> I kinda like using the direction arrow for it, so the first address is
> always bad guy.
> $EXTERNAL_NET -> $HOME_NET
> would work for most things. Then for sigs like 'id check returns root'
> the rule is:
> $EXTERNAL_NET <- $HOME_NET
As you already have been told, the <- direction has been decapricated.
Even if it was possible, the reporting-tool would have no clue as to if
the matched packet was triggered by a "->"-rule or a "<-"-rule.
No matter how the problem is solved syntax:ally, you need to add new
information to the _alerts_. This information give the reporting tools the
possibility to create correct reports (as described earlier).
So, two things are needed:
* Snort needs to tag the alerts with a reference to the "bad" side
* Reporting tools need to take the new tag into account when
generating reports that show the worst offenders and the most attacked
More information about the Snort-devel