[Snort-users] Feature Request
Maxim.Gansert at ...3569...
Mon Sep 24 06:13:02 EDT 2001
I'am testing Snort as a NIDS and i was quite happy until i realized,
that Snort is far away from automatisation. As you might can imagine
you won't look a whole day at the logs and make every minute a SQL -
Query against a MySQL-DB.
Features to be requested
- Skript-Startup at a definite Level
i would like to have the followin Options:
Priority == 3 -> start /usr/snort/scripts/myPrio3Script
Priority >= 6 -> start /usr/snort/Scripts/emailalert
xyz at ...3570...
Priority >= 9 -> start /usr/snort/scripts/emailalert SecurityStaff
emailalert: should inform a special user or a group, that you are
under Attack. With some Information : SourceIP, DestinationIP, Type of
and Priority of this event.
- automatic Archiving
Skript-Startup at a definite Point
size(alertlog) >= 1 MB /usr/snort/scripts/archivelog
first(alertlog) >= 4 h /usr/snort/scripts/archivelog
remain(mountpoint_space) <=10 MB /usr/snort/scripts/emailalert
- Have an Option to kill or log TCP Session or to manage a Router, for
Event (not Priority). So you can force a special policy for your
And also to have a first action against an offending user. If someone
complains you can simply say, it was a mistake and the rules can be
it was/is a real threat against the policy.
More information about the Snort-users