No subject


Thu Nov 23 16:31:58 EST 2017


and C, the source IPs of the alerts.
No, A and D are the bad hosts. B and C are the targets. (C is replying to
an attack from D)

So, how do we get a report where the sources and destinations of the
acual ATTACKS are shown?


If we add a new field in the rules, declaring what side of the packet is
"bad", then we should be able to create a reporting mechanism that put
together the correct report.

Example:

This is how the rules look like at present time:
alert tcp any any -> any any (msg:"Attack"; content:"cmd.exe";)
alert tcp any any -> any any (msg:"Response"; content:"\WINNT\system32";)

This is how they could look like with the new field:
alert tcp any any -> any any S (msg:"Attack"; content:"cmd.exe";)
alert tcp any any -> any any D (msg:"Response"; content:"\WINNT\system32";)
                             ^

S = The source address is the bad guy (he wants to run cmd.exe)
D = The destination address is the bad guy (the source address is replying
    with a DOS-prompt)
A = Any of the two (for rules with the direction <>, and for rules that
    just log packets with no particular options)


What do you think?

Martin Olsson
Sentor AB, Sweden





More information about the Snort-devel mailing list