[Snort-sigs] Re: "bad guy" tagging
elof at ...1288...
Fri Jul 18 05:31:09 EDT 2003
On Thu, 17 Jul 2003, Grudge Mason wrote:
> Although i think you have got this thing all backwards.
> What you are asking for will only give the report reader (who may not be
> that technical) a false sense about what's going on anyway if it's all
> about "top attackers".
Oh, I must have been unclear.
The top attackers was just an example of how the report- and statistics
tools are forced into displaying non-perfect results.
This is not about "top attackers". My goal is simply to make snort able to
give the tools a chance to produce correct results in the way an operator
wants to see them.
When this is achieved, other tools like corelating engines could also
benefit from the new tag, making them smarter. Today they have to work in
dumb-mode since there is no way to separate the offenders and targets.
More information about the Snort-sigs