[Snort-users] Feature Request
erek at ...577...
Mon Sep 24 06:49:08 EDT 2001
On Mon, 24 Sep 2001, Maxim Gansert wrote:
> Features to be requested
> - Skript-Startup at a definite Level
Startup scripts are have been posted to the list multiple times. Check the
> i would like to have the followin Options:
> Priority == 3 -> start /usr/snort/scripts/myPrio3Script
> Priority >= 6 -> start /usr/snort/Scripts/emailalert
> xyz at ...3570...
> Priority >= 9 -> start /usr/snort/scripts/emailalert SecurityStaff
> emailalert: should inform a special user or a group, that you are
> under Attack. With some Information : SourceIP, DestinationIP, Type of
> and Priority of this event.
Already covered in the FAQ.
> - automatic Archiving
> Skript-Startup at a definite Point
> size(alertlog) >= 1 MB /usr/snort/scripts/archivelog
> first(alertlog) >= 4 h /usr/snort/scripts/archivelog
> remain(mountpoint_space) <=10 MB /usr/snort/scripts/emailalert
I haven't had any coffee so I'm still braindead and cranky--But that's about a
15-20 line shell script ran from cron at whatever interval you want.
> - Have an Option to kill or log TCP Session or to manage a Router, for
> Event (not Priority). So you can force a special policy for your
> And also to have a first action against an offending user. If someone
> complains you can simply say, it was a mistake and the rules can be
> tuned, but
> it was/is a real threat against the policy.
Ummm... Check out Guardian. There's also another program someone has written
that will do ipf (or is it iptables?) rules.
To quote Marty "Snort is a Lightweight Intrusion Detection System." The
things you are asking for are better served as _external_ addons or
contributions to snort instead of features. Personally, I don't want snort to
slow down one bit, I like how fast it runs! :) Functionallity that can
remain external to snort is better left external.
More information about the Snort-users