[Snort-users] Feature Request

Erek Adams erek at ...577...
Mon Sep 24 08:35:02 EDT 2001

On Mon, 24 Sep 2001, Maxim Gansert wrote:

> Thanks, but where is that archive ?

Have a look at the bottom of all the email from the list.  :)
Snort-users list archive:
> Alerting is one of the most interesting features of an IDS, independed
> whether it is lightwight or not. I want to config, what levels of events
> to syslog and when to log to a file. It would be nice to change the
> .rules- file(s) to allow these features, i am not asking how to do it.
> These Priorities must be in the rules-files, and they should be parsed
> correctly, and must be writted to the syslog, but checking the Syslog with
> Cisco Works Syslog Checker is one of the easier parts.

Ahhh...  Now I see what you're saying.  That would be a neat feature to have.
I'm more of the mind to log everything and let the analyst be the one to
assign the danger/priority level.

> OK, i won't bother you... it could be simple add in the source, but when
> you say a script is faster, i will do so.

heh...  No bother, I'm just still brain dead.  Too much movie watching last
night--I gotta get off that DVD club! :)  Lemme wake up and find some spare
time.  I'll see if I can whip one up.

> To manage a router: I am interested in a Solution to manage a normal
> PerimeterRouter (Cisco, ...) like this:
> Someone tries to get Admin-Priv (Could be useful)
> 1.) Reset TCP Session (Packet on sniffing-device)
> 2.) Manage the router (DENY IP.A.DD.R on ACL:INTERFACE  ROUTER_IP
> 3.) a few minutes Later, a mail could be send.

Auto blocking has been hashed out many, many, many times on the list.  There
are two camps.  The "It's a good thing" camp and the "It's a DOS waiting to
happen" camp.  I'm not going to fire up that religous war again, but I will
caution that auto blocking has a ability to put you in a world of hurt if not
done right.

> For TCP-Reset and start the management-Script Feature the .rules file
> could define some stdandard action, which could be implemented, maybe in
> Snort.
> your proposed alternative is the following:
> 1.) Log to Syslog server
> 2.) Check incomming Syslog traffic with a script against a set of rules
> 3.) Mail to SecurityStaff
> 3.) find out IP Adress with sed & awk
> 4.) start router magement script.
> The intruder has now a valid session or can simply start elsewhere with
> these Information he gathered.

I'm not a fan of auto-blocking, so I've not looked into other alternatives.
Even with snort automatically dropping ACL's on the Cisco, 3l33t h4x0r will
still notice when his connection dies.  He could think "oh, my connections
been reset--They must have a IDS tied to the router.  I'll be quieter next
time."  Or could start spoofing your upstream Serial interface IP.  Or the
root name servers.  Or any one of a thousand other nasty things...  He can
still come in from another site.  Security folks are playing 'whack-a-mole'
with 'em.  Stop/Block them at one place, they come in from another....
*sigh* Makes me wish we had a flex-resp rule that would send back high voltage

Keep your eyes out for 2.0.  There's supposed to be lots of nifty things
rolled into that codebase.


Erek Adams

More information about the Snort-users mailing list