Snort mailing list archives
Re: Feature Request
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 24 Sep 2001 06:48:25 -0700 (PDT)
On Mon, 24 Sep 2001, Maxim Gansert wrote: [...snip...]
Features to be requested - Skript-Startup at a definite Level
Startup scripts are have been posted to the list multiple times. Check the archives.
i would like to have the followin Options: Priority == 3 -> start /usr/snort/scripts/myPrio3Script Priority >= 6 -> start /usr/snort/Scripts/emailalert xyz () aaa bbb ccc ddd Priority >= 9 -> start /usr/snort/scripts/emailalert SecurityStaff emailalert: should inform a special user or a group, that you are under Attack. With some Information : SourceIP, DestinationIP, Type of Attack and Priority of this event.
Already covered in the FAQ. http://snort.sourcefire.com/docs/faq.html#5.7
- automatic Archiving Skript-Startup at a definite Point size(alertlog) >= 1 MB /usr/snort/scripts/archivelog first(alertlog) >= 4 h /usr/snort/scripts/archivelog remain(mountpoint_space) <=10 MB /usr/snort/scripts/emailalert RanOutOfSpaceStaff
I haven't had any coffee so I'm still braindead and cranky--But that's about a 15-20 line shell script ran from cron at whatever interval you want.
- Have an Option to kill or log TCP Session or to manage a Router, for each Event (not Priority). So you can force a special policy for your Network(s). And also to have a first action against an offending user. If someone complains you can simply say, it was a mistake and the rules can be tuned, but it was/is a real threat against the policy.
Ummm... Check out Guardian. There's also another program someone has written that will do ipf (or is it iptables?) rules. To quote Marty "Snort is a Lightweight Intrusion Detection System." The things you are asking for are better served as _external_ addons or contributions to snort instead of features. Personally, I don't want snort to slow down one bit, I like how fast it runs! :) Functionallity that can remain external to snort is better left external. Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Feature Request Maxim Gansert (Sep 24)
- Re: Feature Request Erek Adams (Sep 24)
- Re: Feature Request Maxim Gansert (Sep 24)
- Re: Feature Request Erek Adams (Sep 24)
- Re: Feature Request Maxim Gansert (Sep 24)
- Re: Feature Request Erek Adams (Sep 24)