[Snort-users] Metadata field in rules to identify target?

Williams Jon WilliamsJonathan at ...2134...
Fri Feb 19 15:04:31 EST 2010


While I was discussing snort rules with some friends, I got to thinking: would it be possible to add a metadata field to a snort rule that would allow me to identify which end of the conversation is the actual target of the activity (i.e. the source or destination IP address)?  The reason this comes up is that Ill sometimes need to write rules where the source of the packet is actually the target of the attack, for example looking for a response that indicates that an attack succeeded.  Much of the time, analysis tools presume that the source of the packet is the source of the attack, and in this case, its obviously not the case.

 

With such a beast in place, I could focus on alerts/attacker, attackers/victim, etc. rather than the more mundane src/dst notation.

 

Thoughts?

 

Jon

 

------------------------------------

Data is the pollution of the information age. -- Bruce Schneier

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100219/bb9d7522/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 182 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100219/bb9d7522/attachment.sig>


More information about the Snort-users mailing list