[Snort-sigs] "bad guy" tagging (Was: Re: Regarding rule 491 INFO FTP Bad login)

Erek Adams erek at ...95...
Tue Jul 15 12:44:05 EDT 2003

On Mon, 14 Jul 2003, Martin Olsson wrote:

> No, snort doesn't, and I don't think it should. The operator analyzing the
> alert should see the alerts unmodified in order to keep it simple and
> understandable.
> Instead I've made a request (in the snort-devel-mailinglist) for some kind
> of tagging-system where each alert is tagged with information about where
> the bad guy is located, src or dst. In your case it would be the
> destination side since the source is the attacked FTP server.

Ok, maybe I'm missing something, but what would be the purpose of the "bad
guy" tagging?  You should _already_ know who the bad guy is.  As you said
above "the operator analyzing the alerts" should be the one to tag it.  To
me, you can program a lot of 'smarts' into a program, but you can't ever
program 'humanity' into one.

What is the difficult part about looking at the rule, looking at the
packet data, and then saying "Hrm...  Looks like X was respsonding to a
packet from Y with Z content.  That means that X is the victim, and Y is
the attacker."  That's what people get paid to do.  I, for one would like
my analyst to be competent and not depend on something that for alert
classification.  Hey, but I'm kinda wierd.  :)


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-sigs mailing list