Hosting Provided By

Re: [Snort-devel] New feature wanted: Locate the bad guy?

From: Neil <sdev2(at)geekshanty.com>
Date: Mon Jun 23 2003 - 10:23:28 EDT

I have to agree with Martin on this. I think that knowing which side is causing the alert would be extremely useful. Think of a simple example with HTTP 501 - Access Forbidden errors. Since Snort alerts on the response from the server, the destination is the attacker and the source is the web server. Using a flag like Martin suggests would allow you to re-classify the alert so the Attacker could easily be identified.

This almost sounds like it would be something that could be added into the existing flow directives. We already have flow:from_server, what about flow:from_server_response or something along those lines?

I think this is an issue worth exploring.

Neil

On 06-23 (11:57), Martin Olsson wrote:
<snip>
> Hmmm, only one reply to my posting... Am I really the only one who think

This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Tue Jun 24 08:47:17 2003

This message: [ Message body ]
Next message: Brian: "Re: [Snort-devel] extend rules options to check tcp win size"
Previous message: m.stiefenhofer(at)ecofis.de: "Re: Re: [Snort-devel] extend rules options to check tcp win size"
In reply to Martin Olsson: "Re: [Snort-devel] New feature wanted: Locate the bad guy?"
Next in thread: Gianni Tedesco: "Re: [Snort-devel] New feature wanted: Locate the bad guy?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:06 EDT