Snort mailing list archives
Re: Feature Request
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 24 Sep 2001 08:34:05 -0700 (PDT)
On Mon, 24 Sep 2001, Maxim Gansert wrote:
Thanks, but where is that archive ?
Have a look at the bottom of all the email from the list. :) -- Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --
Alerting is one of the most interesting features of an IDS, independed whether it is lightwight or not. I want to config, what levels of events to syslog and when to log to a file. It would be nice to change the .rules- file(s) to allow these features, i am not asking how to do it. These Priorities must be in the rules-files, and they should be parsed correctly, and must be writted to the syslog, but checking the Syslog with Cisco Works Syslog Checker is one of the easier parts.
Ahhh... Now I see what you're saying. That would be a neat feature to have. I'm more of the mind to log everything and let the analyst be the one to assign the danger/priority level.
OK, i won't bother you... it could be simple add in the source, but when you say a script is faster, i will do so.
heh... No bother, I'm just still brain dead. Too much movie watching last night--I gotta get off that DVD club! :) Lemme wake up and find some spare time. I'll see if I can whip one up.
To manage a router: I am interested in a Solution to manage a normal PerimeterRouter (Cisco, ...) like this: Someone tries to get Admin-Priv (Could be useful) 1.) Reset TCP Session (Packet on sniffing-device) 2.) Manage the router (DENY IP.A.DD.R on ACL:INTERFACE ROUTER_IP ENABLE_PW:ACCOUNT:PW) 3.) a few minutes Later, a mail could be send.
Auto blocking has been hashed out many, many, many times on the list. There are two camps. The "It's a good thing" camp and the "It's a DOS waiting to happen" camp. I'm not going to fire up that religous war again, but I will caution that auto blocking has a ability to put you in a world of hurt if not done right.
For TCP-Reset and start the management-Script Feature the .rules file could define some stdandard action, which could be implemented, maybe in Snort. your proposed alternative is the following: 1.) Log to Syslog server 2.) Check incomming Syslog traffic with a script against a set of rules 3.) Mail to SecurityStaff 3.) find out IP Adress with sed & awk 4.) start router magement script. The intruder has now a valid session or can simply start elsewhere with these Information he gathered.
I'm not a fan of auto-blocking, so I've not looked into other alternatives. Even with snort automatically dropping ACL's on the Cisco, 3l33t h4x0r will still notice when his connection dies. He could think "oh, my connections been reset--They must have a IDS tied to the router. I'll be quieter next time." Or could start spoofing your upstream Serial interface IP. Or the root name servers. Or any one of a thousand other nasty things... He can still come in from another site. Security folks are playing 'whack-a-mole' with 'em. Stop/Block them at one place, they come in from another.... *sigh* Makes me wish we had a flex-resp rule that would send back high voltage electo-shocks. Keep your eyes out for 2.0. There's supposed to be lots of nifty things rolled into that codebase. Later! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Feature Request Maxim Gansert (Sep 24)
- Re: Feature Request Erek Adams (Sep 24)
- Re: Feature Request Maxim Gansert (Sep 24)
- Re: Feature Request Erek Adams (Sep 24)
- Re: Feature Request Maxim Gansert (Sep 24)
- Re: Feature Request Erek Adams (Sep 24)