Snort mailing list archives

Previous By Date Next
Previous By Thread Next

alert message containing info from the packet?

From: Andreas Hasenack <andreas () netbank com br>
Date: Thu, 10 May 2001 12:08:09 -0300
Would it be feasable for snort's alert messages to contain
some information from the packet that caused the alert?

One example, ICMP host unreachable packets.

The current rules only log this generic message and which machine
sent them, but not which host was unreachable. For that info, I have
to search the packet's payload.
Would it be feasable for this info to already be on the alert message?
Perhaps some other field, like CVE and others are today, so that
the type of the alert is still the same (to facilitate searches in
a mysql database, for example: how many "icmp host unreachable"
messages do I have?), but so that I can have this info 
without having to check the payload.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: