[Snort-users] Feature Request
Maxim.Gansert at ...3569...
Mon Sep 24 08:06:03 EDT 2001
> Startup scripts are have been posted to the list multiple times. Check the
Thanks, but where is that archive ?
> Already covered in the FAQ.
Alerting is one of the most interesting features of an IDS, independed
whether it is lightwight or not. I want to config, what levels of events
syslog and when to log to a file. It would be nice to change the .rules-
file(s) to allow these features, i am not asking how to do it.
These Priorities must be in the rules-files, and they should be parsed
correctly, and must be writted to the syslog, but checking the Syslog
with Cisco Works Syslog Checker is one of the easier parts.
> > - automatic Archiving
> > Skript-Startup at a definite Point
> > size(alertlog) >= 1 MB /usr/snort/scripts/archivelog
> > first(alertlog) >= 4 h /usr/snort/scripts/archivelog
> > remain(mountpoint_space) <=10 MB /usr/snort/scripts/emailalert
> > RanOutOfSpaceStaff
> I haven't had any coffee so I'm still braindead and cranky--But that's about a
> 15-20 line shell script ran from cron at whatever interval you want.
OK, i won't bother you... it could be simple add in the source, but when
you say a
script is faster, i will do so.
> > - Have an Option to kill or log TCP Session or to manage a Router, for
> > each
> > Event (not Priority). So you can force a special policy for your
> > Network(s).
> > And also to have a first action against an offending user. If someone
> > complains you can simply say, it was a mistake and the rules can be
> > tuned, but
> > it was/is a real threat against the policy.
> Ummm... Check out Guardian. There's also another program someone has written
> that will do ipf (or is it iptables?) rules.
To manage a router: I am interested in a Solution to manage a normal
PerimeterRouter (Cisco, ...) like this:
Someone tries to get Admin-Priv (Could be useful)
1.) Reset TCP Session (Packet on sniffing-device)
2.) Manage the router (DENY IP.A.DD.R on ACL:INTERFACE ROUTER_IP
3.) a few minutes Later, a mail could be send.
For TCP-Reset and start the management-Script Feature the .rules file
define some stdandard action, which could be implemented, maybe in
your proposed alternative is the following:
1.) Log to Syslog server
2.) Check incomming Syslog traffic with a script against a set of rules
3.) Mail to SecurityStaff
3.) find out IP Adress with sed & awk
4.) start router magement script.
The intruder has now a valid session or can simply start elsewhere with
Information he gathered.
> To quote Marty "Snort is a Lightweight Intrusion Detection System." The
> things you are asking for are better served as _external_ addons or
> contributions to snort instead of features. Personally, I don't want snort to
> slow down one bit, I like how fast it runs! :) Functionallity that can
> remain external to snort is better left external.
More information about the Snort-users