[Snort-users] (no subject)
roesch at ...1...
Wed Jul 19 23:54:49 EDT 2000
Jim Burnes wrote:
> Marty et al:
> Were trying to implement a few additions to snort here at Savvis.
> (1) Sending alerts via SNMP to our Enterprise monitoring/logging DB.
> (2) Squelching the noice to only look for what we want
> (3) Assign some severity level to the events for SNMP
Check out the version in CVS, it allows you to have multiple arbitrary
alerting levels via Andrew Baker's detection engine mods.
> (4) Be able to easily indicate a list of internal subnets which
> should be ignored if you see traffic flowing between them.
> (right now I have this implemented via a BPF pre-filter, but
> there must be a more elegant method. The BPF filter gets a little
Have you looked at using pass rules? Try pass rules combined with the -o
switch to do this sort of thing. See http://www.snort.org/snort_rules.html
for more info on writing rules....
Martin Roesch <roesch at ...2...>
Core R&D http://www.hiverworld.com
Hiverworld, Inc. Continuous Adaptive Risk Management
More information about the Snort-users