Hosting Provided By

Re: [Snort-devel] New feature wanted: Locate the bad guy?

From: Martin Olsson <elof(at)sentor.se>
Date: Mon Jul 07 2003 - 08:11:35 EDT

On 4 Jul 2003, Gianni Tedesco wrote:
> On Mon, 2003-06-23 at 10:57, Martin Olsson wrote:

As you already have been told, the <- direction has been decapricated.

Even if it was possible, the reporting-tool would have no clue as to if the matched packet was triggered by a "->"-rule or a "<-"-rule.

No matter how the problem is solved syntax:ally, you need to add new information to the _alerts_. This information give the reporting tools the possibility to create correct reports (as described earlier).

So, two things are needed:
* Snort needs to tag the alerts with a reference to the "bad" side * Reporting tools need to take the new tag into account when generating reports that show the worst offenders and the most attacked hosts.

/Martin

This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Mon Jul 7 08:32:36 2003

This message: [ Message body ]
Next message: Martin Olsson: "Re: [Snort-devel] New feature wanted: Rule matching stats"
Previous message: Gianni Tedesco: "Re: [Snort-devel] New feature wanted: Locate the bad guy?"
In reply to Gianni Tedesco: "Re: [Snort-devel] New feature wanted: Locate the bad guy?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:06 EDT

Do you need help?