[Snort-users] Feature Request

Maxim Gansert Maxim.Gansert at ...3569...
Mon Sep 24 06:13:02 EDT 2001


Hi *

I'am testing Snort as a NIDS and i was quite happy until i realized,
that Snort is far away from automatisation. As you might can imagine
you won't look a whole day at the logs and make every minute a SQL -
Query against a MySQL-DB.

Features to be requested 
- Skript-Startup at a definite Level
  i would like to have the followin Options:
  Priority == 3 -> start /usr/snort/scripts/myPrio3Script
  Priority >= 6 -> start /usr/snort/Scripts/emailalert
xyz at ...3570...
  Priority >= 9 -> start /usr/snort/scripts/emailalert SecurityStaff

emailalert: should inform a special user or a group, that you are
under Attack. With some Information : SourceIP, DestinationIP, Type of
Attack
and Priority of this event.
  
- automatic Archiving
  Skript-Startup at a definite Point
  size(alertlog) >= 1 MB /usr/snort/scripts/archivelog
  first(alertlog) >= 4 h /usr/snort/scripts/archivelog
  remain(mountpoint_space) <=10 MB /usr/snort/scripts/emailalert
RanOutOfSpaceStaff
  
- Have an Option to kill or log TCP Session or to manage a Router, for
each
  Event (not Priority). So you can force a special policy for your
Network(s).
  And also to have a first action against an offending user. If someone
  complains you can simply say, it was a mistake and the rules can be
tuned, but
  it was/is a real threat against the policy.

Ciao,
Maxim




More information about the Snort-users mailing list