[Snort-users] One for the Wishlist

Dragos Ruiu dr at ...50...
Fri Aug 25 14:59:13 EDT 2000


There is nothing that needs to be added to snort to enble this.
Just pick a convention (i.e. a number at the beginning of the message 
indicating severity) and edit your rules file to change the messages
output string for that rule to include your convention.  Then 
postprocess to your heart's content.  Ah, the beauty of open 
source...

How's that for rapid implementation of new features. :-)

cheers,
--dr

On Fri, 25 Aug 2000, Steve Halligan wrote:
> 
> That is exactly my point.   A log parser (or database query in my case)
> can't assign a severity to an event unless you assign the severity to events
> in the parser script.  This would mean re-writing the parser for every rule
> addition.  If the parser can just look at the log and see "Severity=5" it
> makes it much easier to code the parser.
> 
> -----Original Message-----
> From: Ed Padin [mailto:epadin at ...200...]
> Sent: Friday, August 25, 2000 10:59 AM
> To: Snort-Users (E-mail)
> Subject: RE: [Snort-users] One for the Wishlist
> 
> 
> These sound like a nice features but I wonder if they would be better suited
> to a log parser rather than snort itself.
> 
> -----Original Message-----
> From: Steve Halligan [mailto:agent33 at ...187...]
> Sent: Friday, August 25, 2000 11:03 AM
> To: Snort-Users (E-mail)
> Subject: [Snort-users] One for the Wishlist
> 
> 
> 
> I know this has been mentioned before, but I would like to see the ability
> to assign a severity level to a rule.  For example a PING-ICMP_TIME_EXCEEDED
> my be a severity=1 while an FTP-badlogin may be a 3 and a DDoS-shaft handler
> to agent may be a 5.  I know that this is somewhat subjective, but once the
> rules have been modified to minimize false positives in your environment,
> this could really aid tuning flex response and automated nastygram response
> (tm).  It would also give us the ability to flag a potential attacker.  For
> example traffic from a.b.c.d triggers a rule with a severity=5, all traffic
> from this ip will be logged for X amount of time.  We can also automagically
> add him to a "watch list" and pay special attention to events from him even
> after X amount of time has expired.
> 
> -Steve 
> 
> 

----------------------------------------
Content-Type: text/html; name="unnamed"
Content-Transfer-Encoding: 7bit
Content-Description: 
----------------------------------------

-- 
dursec.com ltd. / kyx.net - we're from the future
pgp fingerprint: 18C7 E37C 2F94 E251 F18E  B7DC 2B71 A73E D2E8 A56D 
pgp key: http://www.dursec.com/drkey.asc



More information about the Snort-users mailing list