[Snort-users] One for the Wishlist

Steve Halligan agent33 at ...187...
Fri Aug 25 13:24:57 EDT 2000


That is exactly my point.   A log parser (or database query in my case)
can't assign a severity to an event unless you assign the severity to events
in the parser script.  This would mean re-writing the parser for every rule
addition.  If the parser can just look at the log and see "Severity=5" it
makes it much easier to code the parser.

-----Original Message-----
From: Ed Padin [mailto:epadin at ...200...]
Sent: Friday, August 25, 2000 10:59 AM
To: Snort-Users (E-mail)
Subject: RE: [Snort-users] One for the Wishlist


These sound like a nice features but I wonder if they would be better suited
to a log parser rather than snort itself.

-----Original Message-----
From: Steve Halligan [mailto:agent33 at ...187...]
Sent: Friday, August 25, 2000 11:03 AM
To: Snort-Users (E-mail)
Subject: [Snort-users] One for the Wishlist



I know this has been mentioned before, but I would like to see the ability
to assign a severity level to a rule.  For example a PING-ICMP_TIME_EXCEEDED
my be a severity=1 while an FTP-badlogin may be a 3 and a DDoS-shaft handler
to agent may be a 5.  I know that this is somewhat subjective, but once the
rules have been modified to minimize false positives in your environment,
this could really aid tuning flex response and automated nastygram response
(tm).  It would also give us the ability to flag a potential attacker.  For
example traffic from a.b.c.d triggers a rule with a severity=5, all traffic
from this ip will be logged for X amount of time.  We can also automagically
add him to a "watch list" and pay special attention to events from him even
after X amount of time has expired.

-Steve 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20000825/07327357/attachment.html>


More information about the Snort-users mailing list