[Snort-users] New feature wanted in snort: packet print

Martin Olsson elof at ...6680...
Wed Oct 16 02:01:03 EDT 2002


I sent this mail to the snort-users list since I think more people than me
are interested in your answers/thoughts.


Glenn Mansfield Keeni, the author of snort's SNMP-plugin, have come up
with a nice idea (at least I think it was his idea):

If you have an offending packet passing through several sensors, it would
be nice if the NMS could detect and correlate that the alerts origin from
the same packet, giving me *one* alert with the summary instead of one
alert per sensor.

In the SNMP-plugin, Glenn has added the support for generating a print of
the invariant part of the offending packet. This print, a MD5 or
SHA1 digest of the packet, is sent as part of the alert. This digest can
be used to verify whether the packet was seen in other parts of the
network. For privacy/security reasons we do not send the packet itself.

My question is:
Couldn't this be built straight into the snort core, so you can get the
benefits of the packet print regardless of what output plugin you use?

If not, could Roman Danyliw please add it to the database plugin?

Martin Olsson
Sentor AB, Sweden





More information about the Snort-users mailing list