[Snort-users] Feature Request

Maxim Gansert Maxim.Gansert at ...3569...
Mon Sep 24 08:06:03 EDT 2001


Hi *,

> Startup scripts are have been posted to the list multiple times.  Check the
> archives.

Thanks, but where is that archive ?

> Already covered in the FAQ.
> http://snort.sourcefire.com/docs/faq.html#5.7

Alerting is one of the most interesting features of an IDS, independed
whether it is lightwight or not. I want to config, what levels of events
to
syslog and when to log to a file. It would be nice to change the .rules-
file(s) to allow these features, i am not asking how to do it.
These Priorities must be in the rules-files, and they should be parsed
correctly, and must be writted to the syslog, but checking the Syslog
with Cisco Works Syslog Checker is one of the easier parts.

> > - automatic Archiving
> >   Skript-Startup at a definite Point
> >   size(alertlog) >= 1 MB /usr/snort/scripts/archivelog
> >   first(alertlog) >= 4 h /usr/snort/scripts/archivelog
> >   remain(mountpoint_space) <=10 MB /usr/snort/scripts/emailalert
> > RanOutOfSpaceStaff
> 
> I haven't had any coffee so I'm still braindead and cranky--But that's about a
> 15-20 line shell script ran from cron at whatever interval you want.

OK, i won't bother you... it could be simple add in the source, but when
you say a
script is faster, i will do so.

> > - Have an Option to kill or log TCP Session or to manage a Router, for
> > each
> >   Event (not Priority). So you can force a special policy for your
> > Network(s).
> >   And also to have a first action against an offending user. If someone
> >   complains you can simply say, it was a mistake and the rules can be
> > tuned, but
> >   it was/is a real threat against the policy.
> 
> Ummm...  Check out Guardian.  There's also another program someone has written
> that will do ipf (or is it iptables?) rules.

To manage a router: I am interested in a Solution to manage a normal 
PerimeterRouter (Cisco, ...) like this:

Someone tries to get Admin-Priv (Could be useful)
1.) Reset TCP Session (Packet on sniffing-device)
2.) Manage the router (DENY IP.A.DD.R on ACL:INTERFACE  ROUTER_IP 
ENABLE_PW:ACCOUNT:PW)
3.) a few minutes Later, a mail could be send.

For TCP-Reset and start the management-Script Feature the .rules file
could
define some stdandard action, which could be implemented, maybe in
Snort.

your proposed alternative is the following:
1.) Log to Syslog server
2.) Check incomming Syslog traffic with a script against a set of rules
3.) Mail to SecurityStaff
3.) find out IP Adress with sed & awk
4.) start router magement script.

The intruder has now a valid session or can simply start elsewhere with
these
Information he gathered. 

> 
> To quote Marty "Snort is a Lightweight Intrusion Detection System."  The
> things you are asking for are better served as _external_ addons or
> contributions to snort instead of features.  Personally, I don't want snort to
> slow down one bit, I like how fast it runs!  :)  Functionallity that can
> remain external to snort is better left external.
> 

Cheers,
Maxim




More information about the Snort-users mailing list