[Snort-sigs] Re: "bad guy" tagging

Martin Olsson elof at ...1288...
Fri Jul 18 05:31:09 EDT 2003


On Thu, 17 Jul 2003, Grudge Mason wrote:
> Although i think you have got this thing all backwards.
> What you are asking for will only give the report reader (who may not be
> that technical) a false sense about what's going on anyway if it's all
> about "top attackers".

Oh, I must have been unclear.

The top attackers was just an example of how the report- and statistics
tools are forced into displaying non-perfect results.

This is not about "top attackers". My goal is simply to make snort able to
give the tools a chance to produce correct results in the way an operator
wants to see them.
When this is achieved, other tools like corelating engines could also
benefit from the new tag, making them smarter. Today they have to work in
dumb-mode since there is no way to separate the offenders and targets.

/Martin






More information about the Snort-sigs mailing list