[Snort-devel] plugin idea
mike at ...31...
Mon Apr 5 00:36:03 EDT 2004
On Apr 1, 2004, at 20:42, Piotr Kowalczyk wrote:
> The problem is that, i really need some
> idea, something which hasn't been implemented yet and wouldn't be too
> hard to do.
How about getting all IP addresses from the portscan plugin, and make a
plugin that logs all traffic from the internal network that goes to
those who have done a portscan? Or instead of logging all IP packages,
just log the first 50 or 100 of them.
The idea here is to get all traffic that goes back to a potential
attacker, so you can determine if there have been a successful attack
against any of your protected machines -- even if you don't have a
signature for the attack itself...
"It is a lesson which all history teaches wise men, to put trust in
ideas, and not in circumstances." --Ralph Waldo Emerson
More information about the Snort-devel