[Snort-sigs] Re: "bad guy" tagging

Grudge Mason grudge_mason at ...12...
Fri Jul 18 05:37:20 EDT 2003


>Martin Olsson <elof at ...1288...> wrote:

>Ok, it might not be the most beautiful solution, but putting this standard
>word first in the msg-tag works.

Yes it would! (and it already is in some sigs....)
Although i think you have got this thing all backwards.
What you are asking for will only give the report reader (who may not be 
that technical) a false sense about what's going on anyway if it's all about 
"top attackers".  Of course the most frequent attackers/attacks are almost 
always the ***LEAST*** interesting since they are always regular script 
kiddies or well known worms. So if the purpose of the report is to show some 
kind of threat level this top attacker stuff is totally useless and will 
only make the report reader ignore the rest (i.e. the stuff that REALLY 
matters).
People with clue who read the report will understand that most frequent 
adresses are not the same as most frequent attackers anyway.

/g

_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8. 
http://join.msn.com/?page=features/junkmail





More information about the Snort-sigs mailing list