[Snort-users] Feature request..

Martin Roesch roesch at ...421...
Sat Mar 17 01:34:37 EST 2001


You can do this right now using the user-defined alerts.  Check it out:

ruletype crit
{
  type alert
  output alert_syslog: LOG_AUTH LOG_ALERT
  output database: log, mysql, user=snort dbname=snort host=localhost
}

ruletype info
{
   type log
   output log_tcpdump: info.log
}

crit tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"IDS342/shellcode-LinuxCommonTCP"; flags: AP; content: "|90 90 90
e8 c0 ff ff ff|/bin/sh"; severity: crit;)

info icmp $EXTERNAL_NET any -> $HOME_NET any (itype: 8; msg: "Ping";)

See the snort.conf output section and the Writing Snort Rules doc for
more info.

    -Marty

John_Delisle at ...1523... wrote:
> 
> Would it be hard to add a field to the snort rules that would allow you to
> specify a syslog alert level?
> 
> >From this:
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:
> "IDS342/shellcode-LinuxCommonTCP"; flags: AP; content: "|90 90 90 e8 c0 ff
> ff ff|/bin/sh";)
> 
> To something like this:
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:
> "IDS342/shellcode-LinuxCommonTCP"; flags: AP; content: "|90 90 90 e8 c0 ff
> ff ff|/bin/sh"; severity: crit;)
> 
> Then you could sort messages easily and react to important ones.
> 
> Just a thought! :)
> 
> John Delisle
> Corporate Technology
> Ceridian Canada Ltd
> 204-975-5909
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list