[Snort-users] Question on Logging and Alerts Suggestion

Scott Brown sbrown at ...39...
Tue Jul 18 13:40:52 EDT 2000


-----BEGIN PGP SIGNED MESSAGE-----

Would there be a way for SNORT to stamp the file if found the rule
into the alert file, or in any other logging?  Many times I would
like to remove a rule or change it to fit my environment yet have to
look through each of the "*-lib" files for the given rule.

If it could look something like the following:

[**] PING-ICMP Destination Unreachable [**]
snort-lib rule set   <<<--------(this is what I would like in each
log)
07/18-13:00:45.54555 my.network.com -> evil.person.com
ICMP TTL:128 TOS:0x0 ID:19237
DESTINATION UNREACHABLE: PORT UNREACHABLE

I'm not sure if SNORT does not know the rule set it received it from,
or if it views it as one big set of rules.  I'm open to flames or
suggestions.  I'm somewhat new to SNORT so be kind please.

Thank You

Scott Brown

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQDVAwUBOXSWnOR1bNjZZPIhAQEMPgX/Wo6EHZs5uJPoMZDXEVOPM0HwgCXg/tSb
VGkHMp6hXkUSI82PUHfMDzOd1mFnWM8zwrnulRfRPuUVcxlUq1cteltY4+LWC5Il
d1QTkV4Sw3z3x1yQ7VYoVdn6e5mE1b26AniTS3ffZ9MJ+iDQSqKmrJD+N79cAVqJ
VzUo/cA3AA3ufjAdWsEWGIMl+3KJsWHAJxAmIV9PZ4mFNmIyFUj6eFc+43KvKn27
uZiVSFo0lpeJCvzwzt89Rw8PrBJe1EUb
=ekYX
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list