[Snort-devel] New feature wanted: Locate the bad guy?

Martin Olsson elof at ...969...
Thu Jun 19 03:09:17 EDT 2003


One thing I miss in my Snort + ACID + SnortCenter system is the
possibility to easily show the operator on what side (source or
destination) the bad guy is located.

ACID (with SnortCenter) can display the "Most Frequent 15 Source
Addresses" and the "Most Frequent 15 Destination Addresses". These reports
show exactly that - the most common src and dst ADDRESSES.

One might think that the list of the 15 source addresses are where the bad
guys are, and the 15 destinations are their targets. This isn't so.
The snort rules contain both alerts for attacks and attack responses.

Example:
src: A.A.A.A  dst: B.B.B.B   A sends an attack to B
src: C.C.C.C  dst: D.D.D.D   C sends a response to D

When listing the most frequent source addresses we'll see A and C.


More information about the Snort-devel mailing list