[Snort-devel] Re: "bad guy" tagging (Was: Re: Regarding rule 491 INFO FTP Bad login)

Martin Olsson elof at ...969...
Wed Jul 16 02:17:08 EDT 2003

On Tue, 15 Jul 2003, Erek Adams wrote:
> On Mon, 14 Jul 2003, Martin Olsson wrote:
> > No, snort doesn't, and I don't think it should. The operator analyzing the
> > alert should see the alerts unmodified in order to keep it simple and
> > understandable.
> > Instead I've made a request (in the snort-devel-mailinglist) for some kind
> > of tagging-system where each alert is tagged with information about where
> > the bad guy is located, src or dst. In your case it would be the
> > destination side since the source is the attacked FTP server.
> Ok, maybe I'm missing something, but what would be the purpose of the "bad
> guy" tagging?  You should _already_ know who the bad guy is.

Yes, by manually analyzing the rule one can understand where the offender
is. The purpose of my request is to make programs (you know, non-human
things) able to distinguish the offenders and targets from the addresses
of the alerts.

Today there are several reporting tools for snort, but none of them can
create a correct report-summary where the worst offenders and targets are
displayed. This is due to the fact that they lack the above information.
Instead they simply lump together all the destination addresses of the
last month's alerts, sort and count them. The same thing is done with the
source addresses. The result, a report I send to my customer, contain
misleading information.

The report have one section called "The most frequent 15 source
addresses". The customer easily read this as "The worst 15 offenders".
After all, that is what we would like to have in the report, right?

Most of the time the source address really _is_ the offender. The problem
is that in the list of the 15 most frequent source addresses we'll see the
address of some of our targets too.
The FTP-rule 491 (FTP bad login) is one of them. Since this is a
_response_ from the FTP server to the offender, the logged packet will
have the FTP server as source. Hence you can't simply say that src =

Some other nice effects of "bad guy" tagging would be:
* It would make a correlating engine, chewing through the alert-database,
  smarter and more accurate.
* The frontend could directly display the offender's IP address in e.g.
  red color.

All in all, a more accurate system with the possibility for less false

In short, the reason why I want "bad guy" tags in the rules is to
introduce the possibility for a very basic form of intelligence in the
frontends, correlating engines and reporting tools.

The added information I'm talking about would be static, extremely easy to
add to the rules and have no negative impact on the performance of snort.
I think this is such a fundamental function in an IDS that I have problems
understanding why anyone would _not_ want it.

Martin Olsson

More information about the Snort-devel mailing list