[Snort-sigs] Signatures

Robert Wagner rwagner at ...447...
Thu Mar 21 14:19:01 EST 2002

I believe this is left up to third party products like Guardian.  I have
used Guardian to monitor the syslog files and pick up on the priority level
of an attack and react accordingly (pass the priority, attacker IP address,
interface, and protocol to guardian_block.sh)  The shell program can be
setup to run whatever commands you wish based on any combination of the

While this doesn't provide a single comprehensive solution (single source),
it allows each group of developers to be experts in their area.  In the
long-term better products and choices between them.  

The other great thing is that you can build rules to fit your needs.  This
project only works if people contribute their research back to the project.
If you find some responses, please send them through.

Lastly, an IDS like snort is only effective if suspicious activity is caught
very early in the attack (preferably during an initial recon - portscan) and
action is taken (see portsentry from psionic).  It would be kind of useless
to catch the "OK - All files have been deleted" response from a trojan.
Much better to catch the initial "wake up trojan, we are going to cause some
havoc today" command.  

Let me know if this helps.  I am not a developer, this is just my impression
of their focus.  If you are interested in Guardian, I have modified it to
look at the priority level and pass that through to a shell script.  I can
pass the changes along.


-----Original Message-----
From: Nelson, James (CC-MIS Plans and Prog)
[mailto:James.Nelson at ...74...]
Sent: Thursday, March 21, 2002 2:55 PM
To: 'snort-sigs at lists.sourceforge.net'
Subject: [Snort-sigs] Signatures

This is just an observation and it is for the entire group. I said something
earlier and nobody gave me any feedback.  

Why not build rules activate logging but only alert once on a given session?

The other thought I have is why not build rules that look for certain
patterns in the RESPONSE that indicate the attempt was successful or that it
failed?  What good are alerts without being able to establish some priority
to them based on the system's reaction?

+ $0.02

James Nelson

Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list