[Snort-users] Metadata field in rules to identify target?

Joel Esler jesler at ...1935...
Fri Feb 19 16:27:05 EST 2010


You could use the msg field to give a more specific indicator as to  
thr purpose of the rule.

"Exploit for IIS inbound".  For example.

--
Joel Esler
302-223-5974
Sent from my iPhone

On Feb 19, 2010, at 3:04 PM, Williams Jon <WilliamsJonathan at ...2134... 
 > wrote:

> While I was discussing snort rules with some friends, I got to  
> thinking: would it be possible to add a metadata field to a snort  
> rule that would allow me to identify which end of the conversation  
> is the actual target of the activity (i.e. the source or destination  
> IP address)?  The reason this comes up is that I’ll sometimes need t 
> o write rules where the source of the packet is actually the target  
> of the attack, for example looking for a response that indicates tha 
> t an attack succeeded.  Much of the time, analysis tools presume tha 
> t the source of the packet is the source of the attack, and in this  
> case, it’s obviously not the case.
>
>
>
> With such a beast in place, I could focus on alerts/attacker,  
> attackers/victim, etc. rather than the more mundane src/dst notation.
>
>
>
> Thoughts?
>
>
>
> Jon
>
>
>
> ------------------------------------
>
> Data is the pollution of the information age. -- Bruce Schneier
>
>
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list