[Snort-sigs] Re: "bad guy" tagging

Grudge Mason grudge_mason at ...12...
Thu Jul 17 08:55:15 EDT 2003


Martin Olsson <elof at ...1288...> wrote:
>Ok, it might not be the most beautiful solution, but putting this standard
>word first in the msg-tag works.

Yes it would! (and it already is in some sigs....) and you are free to do 
this yourself or create a patch with new keyword.

Although i think you have got this thing all backwards.
What you are asking for will only give the report reader (who may not be
that technical) a false sense about what's going on anyway if it's all
about "top attackers".  Of course the most frequent attackers/attacks are
almost always the ***LEAST*** interesting since they are always regular
script kiddies or well known worms. So if the purpose of the report is to
show some kind of threat level this top attacker stuff is totally useless
and will only make the report reader ignore the rest (i.e. the stuff that
REALLY matters).
People with clue who read the report will understand that most frequent
adresses are not the same as most frequent attackers anyway.

/g

_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail





More information about the Snort-sigs mailing list