Thu Nov 23 16:31:58 EST 2017
and C, the source IPs of the alerts.
No, A and D are the bad hosts. B and C are the targets. (C is replying to
an attack from D)
So, how do we get a report where the sources and destinations of the
acual ATTACKS are shown?
If we add a new field in the rules, declaring what side of the packet is
"bad", then we should be able to create a reporting mechanism that put
together the correct report.
This is how the rules look like at present time:
alert tcp any any -> any any (msg:"Attack"; content:"cmd.exe";)
alert tcp any any -> any any (msg:"Response"; content:"\WINNT\system32";)
This is how they could look like with the new field:
alert tcp any any -> any any S (msg:"Attack"; content:"cmd.exe";)
alert tcp any any -> any any D (msg:"Response"; content:"\WINNT\system32";)
S = The source address is the bad guy (he wants to run cmd.exe)
D = The destination address is the bad guy (the source address is replying
with a DOS-prompt)
A = Any of the two (for rules with the direction <>, and for rules that
just log packets with no particular options)
What do you think?
Sentor AB, Sweden
More information about the Snort-devel