[Snort-users] Feature Request

Erek Adams erek at ...577...
Mon Sep 24 06:49:08 EDT 2001

On Mon, 24 Sep 2001, Maxim Gansert wrote:


> Features to be requested
> - Skript-Startup at a definite Level

Startup scripts are have been posted to the list multiple times.  Check the

>   i would like to have the followin Options:
>   Priority == 3 -> start /usr/snort/scripts/myPrio3Script
>   Priority >= 6 -> start /usr/snort/Scripts/emailalert
> xyz at ...3570...
>   Priority >= 9 -> start /usr/snort/scripts/emailalert SecurityStaff
> emailalert: should inform a special user or a group, that you are
> under Attack. With some Information : SourceIP, DestinationIP, Type of
> Attack
> and Priority of this event.

Already covered in the FAQ.


> - automatic Archiving
>   Skript-Startup at a definite Point
>   size(alertlog) >= 1 MB /usr/snort/scripts/archivelog
>   first(alertlog) >= 4 h /usr/snort/scripts/archivelog
>   remain(mountpoint_space) <=10 MB /usr/snort/scripts/emailalert
> RanOutOfSpaceStaff

I haven't had any coffee so I'm still braindead and cranky--But that's about a
15-20 line shell script ran from cron at whatever interval you want.

> - Have an Option to kill or log TCP Session or to manage a Router, for
> each
>   Event (not Priority). So you can force a special policy for your
> Network(s).
>   And also to have a first action against an offending user. If someone
>   complains you can simply say, it was a mistake and the rules can be
> tuned, but
>   it was/is a real threat against the policy.

Ummm...  Check out Guardian.  There's also another program someone has written
that will do ipf (or is it iptables?) rules.

To quote Marty "Snort is a Lightweight Intrusion Detection System."  The
things you are asking for are better served as _external_ addons or
contributions to snort instead of features.  Personally, I don't want snort to
slow down one bit, I like how fast it runs!  :)  Functionallity that can
remain external to snort is better left external.


Erek Adams

More information about the Snort-users mailing list