[Snort-users] Snort alert file boolean filter - anybody done this before?

Mike Ahern mc_ahern at ...131...
Thu Mar 7 15:27:02 EST 2002


We have a distributed security management system that
reads and processes individual security events in the
alert file and then forwards them on to a management
console. 

I would like to prefilter the alerts in a boolean
fashion where "X" type of alert to/from "Y"
destination/source IP (and perhaps Y is a file list of
IP's or an individual IP addr) - then the alert is not
forwarded to another monitored snort alert file.

For example, null sessions to DC's and other events
that might be "normal" events can be disregarded,
however if there are other null sessions beyond what
is typical in my environment - it is still on my
radar.

The disregarded security events can still be logged
locally on the snort box in the event of need to go
back and pull the data.

Has anyone already done this, or found something out
there to do this? I'd like to be able to selectively
tune down the noise with something like this. I have
seen command line exclusion to ignore specific hosts,
but I am looking to deal with this on the back-end of
the snort IDS process (preserving local logging of all
events), with a more granular control. 

Also, I am curious if anyone has a way to capture the
actual destination for an HTTP event when local web
proxies are used and are indicated as the destination
IP address. I would like to indicate the actual web
destination of the monitored traffic in the event
logging. Has anyone got anything that will do this???
Or have any ideas on how to best implement this kind
of thing?

 - Mike






__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/




More information about the Snort-users mailing list