Snort mailing list archives
alert message containing info from the packet?
From: Andreas Hasenack <andreas () netbank com br>
Date: Thu, 10 May 2001 12:08:09 -0300
Would it be feasable for snort's alert messages to contain some information from the packet that caused the alert? One example, ICMP host unreachable packets. The current rules only log this generic message and which machine sent them, but not which host was unreachable. For that info, I have to search the packet's payload. Would it be feasable for this info to already be on the alert message? Perhaps some other field, like CVE and others are today, so that the type of the alert is still the same (to facilitate searches in a mysql database, for example: how many "icmp host unreachable" messages do I have?), but so that I can have this info without having to check the payload. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- alert message containing info from the packet? Andreas Hasenack (May 10)
- Re: alert message containing info from the packet? Andreas Hasenack (May 10)