[Snort-users] (no subject)

Martin Roesch roesch at ...1...
Wed Jul 19 23:54:49 EDT 2000


Jim Burnes wrote:
> 
> Marty et al:
> 
> Were trying to implement a few additions to snort here at Savvis.
> 
> (1) Sending alerts via SNMP to our Enterprise monitoring/logging DB.

Cool.

> (2) Squelching the noice to only look for what we want
> (3) Assign some severity level to the events for SNMP

Check out the version in CVS, it allows you to have multiple arbitrary
alerting levels via Andrew Baker's detection engine mods.

> (4) Be able to easily indicate a list of internal subnets which
>     should be ignored if you see traffic flowing between them.
>    (right now I have this implemented via a BPF pre-filter, but
>    there must be a more elegant method.  The BPF filter gets a little
>    complicated.)

Have you looked at using pass rules?  Try pass rules combined with the -o
switch to do this sort of thing.  See http://www.snort.org/snort_rules.html
for more info on writing rules....

-- 
Martin Roesch                      <roesch at ...2...>
Core R&D                         http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management




More information about the Snort-users mailing list