[Snort-users] One for the Wishlist

O'Rourke, Paul F (Paul) porourke at ...389...
Fri Aug 25 16:00:03 EDT 2000


Why not have snort extract the severity from a field in the rule itself.
Then its a simple generic change to snort, the severity can be easily
changed by the users, and it could be backwards compatible to existing
rulesets.

> ----------
> From: 	Steve Halligan[SMTP:agent33 at ...187...]
> Sent: 	Friday, August 25, 2000 1:24 PM
> To: 	Snort-Users (E-mail)
> Subject: 	RE: [Snort-users] One for the Wishlist
> 
> That is exactly my point.   A log parser (or database query in my case)
> can't assign a severity to an event unless you assign the severity to
> events in the parser script.  This would mean re-writing the parser for
> every rule addition.  If the parser can just look at the log and see
> "Severity=5" it makes it much easier to code the parser.
> 
> 	-----Original Message-----
> 	From: Ed Padin [mailto:epadin at ...200...]
> 	Sent: Friday, August 25, 2000 10:59 AM
> 	To: Snort-Users (E-mail)
> 	Subject: RE: [Snort-users] One for the Wishlist
> 
> 
> 	These sound like a nice features but I wonder if they would be
> better suited to a log parser rather than snort itself.
> 
> 		-----Original Message-----
> 		From: Steve Halligan [mailto:agent33 at ...187...]
> 		Sent: Friday, August 25, 2000 11:03 AM
> 		To: Snort-Users (E-mail)
> 		Subject: [Snort-users] One for the Wishlist
> 
> 
> 
> 		I know this has been mentioned before, but I would like to
> see the ability to assign a severity level to a rule.  For example a
> PING-ICMP_TIME_EXCEEDED my be a severity=1 while an FTP-badlogin may be a
> 3 and a DDoS-shaft handler to agent may be a 5.  I know that this is
> somewhat subjective, but once the rules have been modified to minimize
> false positives in your environment, this could really aid tuning flex
> response and automated nastygram response (tm).  It would also give us the
> ability to flag a potential attacker.  For example traffic from a.b.c.d
> triggers a rule with a severity=5, all traffic from this ip will be logged
> for X amount of time.  We can also automagically add him to a "watch list"
> and pay special attention to events from him even after X amount of time
> has expired.
> 
> 		-Steve 
> 
> 



More information about the Snort-users mailing list