[Snort-devel] New feature wanted: Locate the bad guy?

Neil sdev2 at ...413...
Tue Jun 24 05:22:15 EDT 2003


I have to agree with Martin on this.  I think that knowing which
side is causing the alert would be extremely useful.  Think of a
simple example with HTTP 501 - Access Forbidden errors.  Since Snort
alerts on the response from the server, the destination is the
attacker and the source is the web server.  Using a flag like Martin
suggests would allow you to re-classify the alert so the Attacker
could easily be identified.

This almost sounds like it would be something that could be added into
the existing flow directives.  We already have flow:from_server, what
about flow:from_server_response or something along those lines?

I think this is an issue worth exploring.

Neil

On 06-23 (11:57), Martin Olsson wrote:
<snip> 
> Hmmm, only one reply to my posting... Am I really the only one who think
> this is a nice idea? There must be hundreds of reports built every day
> with misleading information and statistics.




More information about the Snort-devel mailing list