[Snort-users] Snort Log Method
Keith.McCammon at ...3497...
Thu Aug 29 07:35:04 EDT 2002
Not that I'm aware. While every alert that is generated for sig-x may look the same to you, they are in fact very different, and each one is relevant to an analyst. Knowing that attacker-x triggered sig-x 345 times is somewhat useful, but even more useful is the payload information that tells you:
- Whether the same request triggered each event, or if each event was triggered by a different request, only a portion of which triggered sig-x
- Whether things like TTL values remain constant, which could be an indicator of distributed attacks and/or IP spoofing (same source, different TTL = people not playing nice with your network)
- Whether the source port changes, or increments using some pattern (used to identify common tools, take guesses at OS, etc.)
- Which flags and options are set in IP/TCP headers, which can be very helpful in identifying common tools and scan types (such as the Nmap XMAS, etc.), as well as determining which types of evasion tactics are in use
The list could go on for days. In brief, you'd be doing yourself a great disservice by implementing such a feature. Bits and bytes are small, and the information that is contained in each event will surely be invaluable, should you find yourself in the unfortunate position of having to piece together an attack.
From: Pedro Tedeschi [mailto:pedro.tedeschi at ...6753...]
Sent: Thursday, August 29, 2002 10:13 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort Log Method
If is possible to snort log just one unique event per IP?
The IP 126.96.36.199 have attacked 345 times on same signature "WEB-IIS cmd.exe access"
But i want to log just one time this attack and discard the others attacks from this signature.
Can i do this?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users