[Snort-devel] plugin idea

Mike Andersen mike at ...31...
Mon Apr 5 00:36:03 EDT 2004


On Apr 1, 2004, at 20:42, Piotr Kowalczyk wrote:

> The problem is that, i really need some
> idea, something which hasn't been implemented yet and wouldn't be too
> hard to do.

How about getting all IP addresses from the portscan plugin, and make a 
plugin that logs all traffic from the internal network that goes to 
those who have done a portscan?  Or instead of logging all IP packages, 
just log the first 50 or 100 of them.

The idea here is to get all traffic that goes back to a potential 
attacker, so you can determine if there have been a successful attack 
against any of your protected machines -- even if you don't have a 
signature for the attack itself...

mike
-- 
"It is a lesson which all history teaches wise men, to put trust in
  ideas, and not in circumstances."            --Ralph Waldo Emerson





More information about the Snort-devel mailing list