[Snort-users] One for the Wishlist

A.L.Lambert alambert at ...387...
Sat Aug 26 01:42:08 EDT 2000


> Why not have snort extract the severity from a field in the rule
> itself. 

 	My argument against that would be more overhead for snort while
doing rule processing.  If I'm wrong, and you can add more fields for
snort to take into account while it's snarfing traffic/generating alerts
w/o adding *any* overhead, then I don't suppose I would have much of a
complaint (other than in principle I think parsers should handle parsing,
and sniffers should handle sniffing :).

	(and yes, I know the overhead would be fairly negligible, but some
of us are using snort in some extreme enough bandwidth/sysload situations,
that every last CPU cycle is better devoted to snarfing/analyzing traffic,
than prettyfying things for parsers which can just as easily do the job
w/o causing any overhead on the snort machines).

> Then its a simple generic change to snort, the severity can be easily
> changed by the users, and it could be backwards compatible to existing
> rulesets.

	Yes, but OTOH, a similarly simple change to the way information is
parsed by analysis tools gives the same results, w/o having to muck with
the relatively huge existing databases of rules, w/o having to change
anything to do with snort.  Same end result, and less work to be done.  

	And also, IMHO, it is better from a security standpoint that each
individual running snort pay enough attention to know what's normal on
THEIR network, and set their own severity levels accordingly, and not have
severity levels determined generically.  Most networks are somewhat
unique, and what's normal traffic on my network that generates
false-alarm-X, may never be seen on your network unless someone's doing
something very bad.

	Apologies to any whom I might have just offended by my opinions,
and as always, YMMV. :)

	--A.L.Lambert




More information about the Snort-users mailing list