Re: [Snort-devel] New feature in snort - mark modified packets

From: Martin Olsson <elof(at)sentor.se>
Date: Mon Jul 07 2003 - 09:15:40 EDT

On Fri, 27 Jun 2003, Chris Green wrote:
> Martin Olsson <elof@sentor.se> writes:

That's messy. Just let the packet be and put the information in the related alert instead.

> acid is doable but requires changes to

Yepp, many of my requests for new features require quite a lot of work, but I think many of them (this is one of them) are so important that it should be done anyway.
I mean, when you have a SOC and an operator staring at alerts all day, it's nice to make his life as easy as possible. By including packet-modification info in the alert, it's much easier for the operator to understand what he's looking at and understanding why the packet look like it does.

> > Could snort include a label indicating the origin of the logged

My thought exactly. By including this new tag we get a bonus: all the authors of plugins generating "M" would get an extra push to rewrite the code, using the Alternate packet standard instead. :)

> > Anyone else think this is a good idea?

:-)

/Martin

---

This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Mon Jul 7 09:35:31 2003