Snort mailing list archives
Re: Feature Request
From: Maxim Gansert <Maxim.Gansert () bln1 siemens de>
Date: Mon, 24 Sep 2001 17:04:59 +0200
Hi *,
Startup scripts are have been posted to the list multiple times. Check the archives.
Thanks, but where is that archive ?
Already covered in the FAQ. http://snort.sourcefire.com/docs/faq.html#5.7
Alerting is one of the most interesting features of an IDS, independed whether it is lightwight or not. I want to config, what levels of events to syslog and when to log to a file. It would be nice to change the .rules- file(s) to allow these features, i am not asking how to do it. These Priorities must be in the rules-files, and they should be parsed correctly, and must be writted to the syslog, but checking the Syslog with Cisco Works Syslog Checker is one of the easier parts.
- automatic Archiving Skript-Startup at a definite Point size(alertlog) >= 1 MB /usr/snort/scripts/archivelog first(alertlog) >= 4 h /usr/snort/scripts/archivelog remain(mountpoint_space) <=10 MB /usr/snort/scripts/emailalert RanOutOfSpaceStaffI haven't had any coffee so I'm still braindead and cranky--But that's about a 15-20 line shell script ran from cron at whatever interval you want.
OK, i won't bother you... it could be simple add in the source, but when you say a script is faster, i will do so.
- Have an Option to kill or log TCP Session or to manage a Router, for each Event (not Priority). So you can force a special policy for your Network(s). And also to have a first action against an offending user. If someone complains you can simply say, it was a mistake and the rules can be tuned, but it was/is a real threat against the policy.Ummm... Check out Guardian. There's also another program someone has written that will do ipf (or is it iptables?) rules.
To manage a router: I am interested in a Solution to manage a normal PerimeterRouter (Cisco, ...) like this: Someone tries to get Admin-Priv (Could be useful) 1.) Reset TCP Session (Packet on sniffing-device) 2.) Manage the router (DENY IP.A.DD.R on ACL:INTERFACE ROUTER_IP ENABLE_PW:ACCOUNT:PW) 3.) a few minutes Later, a mail could be send. For TCP-Reset and start the management-Script Feature the .rules file could define some stdandard action, which could be implemented, maybe in Snort. your proposed alternative is the following: 1.) Log to Syslog server 2.) Check incomming Syslog traffic with a script against a set of rules 3.) Mail to SecurityStaff 3.) find out IP Adress with sed & awk 4.) start router magement script. The intruder has now a valid session or can simply start elsewhere with these Information he gathered.
To quote Marty "Snort is a Lightweight Intrusion Detection System." The things you are asking for are better served as _external_ addons or contributions to snort instead of features. Personally, I don't want snort to slow down one bit, I like how fast it runs! :) Functionallity that can remain external to snort is better left external.
Cheers, Maxim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Feature Request Maxim Gansert (Sep 24)
- Re: Feature Request Erek Adams (Sep 24)
- Re: Feature Request Maxim Gansert (Sep 24)
- Re: Feature Request Erek Adams (Sep 24)
- Re: Feature Request Maxim Gansert (Sep 24)
- Re: Feature Request Erek Adams (Sep 24)