[Snort-users] Question on Logging and Alerts Suggestion

Martin Roesch roesch at ...1...
Thu Jul 20 00:09:38 EDT 2000


Interesting idea, it should be doable.  If we did it, I'd probably want to
enable it as a command line switch because not everyone would want to see that
info all the time.  Alternatively, using grep works quite well. :)

I'll take this under advisement for 1.7!

    -Marty

Scott Brown wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> Would there be a way for SNORT to stamp the file if found the rule
> into the alert file, or in any other logging?  Many times I would
> like to remove a rule or change it to fit my environment yet have to
> look through each of the "*-lib" files for the given rule.
> 
> If it could look something like the following:
> 
> [**] PING-ICMP Destination Unreachable [**]
> snort-lib rule set   <<<--------(this is what I would like in each
> log)
> 07/18-13:00:45.54555 my.network.com -> evil.person.com
> ICMP TTL:128 TOS:0x0 ID:19237
> DESTINATION UNREACHABLE: PORT UNREACHABLE
> 
> I'm not sure if SNORT does not know the rule set it received it from,
> or if it views it as one big set of rules.  I'm open to flames or
> suggestions.  I'm somewhat new to SNORT so be kind please.
> 
> Thank You
> 
> Scott Brown
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.3
> 
> iQDVAwUBOXSWnOR1bNjZZPIhAQEMPgX/Wo6EHZs5uJPoMZDXEVOPM0HwgCXg/tSb
> VGkHMp6hXkUSI82PUHfMDzOd1mFnWM8zwrnulRfRPuUVcxlUq1cteltY4+LWC5Il
> d1QTkV4Sw3z3x1yQ7VYoVdn6e5mE1b26AniTS3ffZ9MJ+iDQSqKmrJD+N79cAVqJ
> VzUo/cA3AA3ufjAdWsEWGIMl+3KJsWHAJxAmIV9PZ4mFNmIyFUj6eFc+43KvKn27
> uZiVSFo0lpeJCvzwzt89Rw8PrBJe1EUb
> =ekYX
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch                      <roesch at ...2...>
Core R&D                         http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management




More information about the Snort-users mailing list