[Snort-devel] New feature wanted: Locate the bad guy?

Martin Olsson elof at ...969...
Mon Jul 7 05:12:24 EDT 2003


On 4 Jul 2003, Gianni Tedesco wrote:
> On Mon, 2003-06-23 at 10:57, Martin Olsson wrote:
> > One could exchange this with labels indicating the type of the packet:
> > Q = This is a queary
> > R = This is a response
> > A = Any of the two
> I kinda like using the direction arrow for it, so the first address is
> always bad guy.
> $EXTERNAL_NET -> $HOME_NET
> would work for most things. Then for sigs like 'id check returns root'
> the rule is:
> $EXTERNAL_NET <- $HOME_NET

As you already have been told, the <- direction has been decapricated.

Even if it was possible, the reporting-tool would have no clue as to if
the matched packet was triggered by a "->"-rule or a "<-"-rule.

No matter how the problem is solved syntax:ally, you need to add new
information to the _alerts_. This information give the reporting tools the
possibility to create correct reports (as described earlier).


So, two things are needed:
* Snort needs to tag the alerts with a reference to the "bad" side
* Reporting tools need to take the new tag into account when
  generating reports that show the worst offenders and the most attacked
  hosts.

/Martin





More information about the Snort-devel mailing list