[Snort-users] One for the Wishlist
agent33 at ...187...
Fri Aug 25 11:03:02 EDT 2000
I know this has been mentioned before, but I would like to see the ability
to assign a severity level to a rule. For example a PING-ICMP_TIME_EXCEEDED
my be a severity=1 while an FTP-badlogin may be a 3 and a DDoS-shaft handler
to agent may be a 5. I know that this is somewhat subjective, but once the
rules have been modified to minimize false positives in your environment,
this could really aid tuning flex response and automated nastygram response
(tm). It would also give us the ability to flag a potential attacker. For
example traffic from a.b.c.d triggers a rule with a severity=5, all traffic
from this ip will be logged for X amount of time. We can also automagically
add him to a "watch list" and pay special attention to events from him even
after X amount of time has expired.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users