[Snort-users] One for the Wishlist

Steve Halligan agent33 at ...187...
Fri Aug 25 17:03:04 EDT 2000


I would prefer it be in a different field in the rule also.  I suppose it
would be easy to parse severity and or confidenence out of the msg field,
but it just seems cleaner if it were it's own field.

-----Original Message-----
From: O'Rourke, Paul F (Paul) [mailto:porourke at ...389...]
Sent: Friday, August 25, 2000 3:00 PM
To: Snort-Users (E-mail); 'Steve Halligan'
Subject: RE: [Snort-users] One for the Wishlist


Why not have snort extract the severity from a field in the rule itself.
Then its a simple generic change to snort, the severity can be easily
changed by the users, and it could be backwards compatible to existing
rulesets.

> ----------
> From: 	Steve Halligan[SMTP:agent33 at ...187...]
> Sent: 	Friday, August 25, 2000 1:24 PM
> To: 	Snort-Users (E-mail)
> Subject: 	RE: [Snort-users] One for the Wishlist
> 
> That is exactly my point.   A log parser (or database query in my case)
> can't assign a severity to an event unless you assign the severity to
> events in the parser script.  This would mean re-writing the parser for
> every rule addition.  If the parser can just look at the log and see
> "Severity=5" it makes it much easier to code the parser.
> 
> 	-----Original Message-----
> 	From: Ed Padin [mailto:epadin at ...200...]
> 	Sent: Friday, August 25, 2000 10:59 AM
> 	To: Snort-Users (E-mail)
> 	Subject: RE: [Snort-users] One for the Wishlist
> 
> 
> 	These sound like a nice features but I wonder if they would be
> better suited to a log parser rather than snort itself.
> 
> 		-----Original Message-----
> 		From: Steve Halligan [mailto:agent33 at ...187...]
> 		Sent: Friday, August 25, 2000 11:03 AM
> 		To: Snort-Users (E-mail)
> 		Subject: [Snort-users] One for the Wishlist
> 
> 
> 
> 		I know this has been mentioned before, but I would like to
> see the ability to assign a severity level to a rule.  For example a
> PING-ICMP_TIME_EXCEEDED my be a severity=1 while an FTP-badlogin may be a
> 3 and a DDoS-shaft handler to agent may be a 5.  I know that this is
> somewhat subjective, but once the rules have been modified to minimize
> false positives in your environment, this could really aid tuning flex
> response and automated nastygram response (tm).  It would also give us the
> ability to flag a potential attacker.  For example traffic from a.b.c.d
> triggers a rule with a severity=5, all traffic from this ip will be logged
> for X amount of time.  We can also automagically add him to a "watch list"
> and pay special attention to events from him even after X amount of time
> has expired.
> 
> 		-Steve 
> 
> 
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20000825/145c8f80/attachment.html>


More information about the Snort-users mailing list