[Snort-users] One for the Wishlist
epadin at ...200...
Fri Aug 25 11:58:57 EDT 2000
These sound like a nice features but I wonder if they would be better suited
to a log parser rather than snort itself.
From: Steve Halligan [mailto:agent33 at ...187...]
Sent: Friday, August 25, 2000 11:03 AM
To: Snort-Users (E-mail)
Subject: [Snort-users] One for the Wishlist
I know this has been mentioned before, but I would like to see the ability
to assign a severity level to a rule. For example a PING-ICMP_TIME_EXCEEDED
my be a severity=1 while an FTP-badlogin may be a 3 and a DDoS-shaft handler
to agent may be a 5. I know that this is somewhat subjective, but once the
rules have been modified to minimize false positives in your environment,
this could really aid tuning flex response and automated nastygram response
(tm). It would also give us the ability to flag a potential attacker. For
example traffic from a.b.c.d triggers a rule with a severity=5, all traffic
from this ip will be logged for X amount of time. We can also automagically
add him to a "watch list" and pay special attention to events from him even
after X amount of time has expired.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users