Snort mailing list archives
RE: Snort Log Method
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Thu, 29 Aug 2002 10:34:35 -0400
Not that I'm aware. While every alert that is generated for sig-x may look the same to you, they are in fact very different, and each one is relevant to an analyst. Knowing that attacker-x triggered sig-x 345 times is somewhat useful, but even more useful is the payload information that tells you: - Whether the same request triggered each event, or if each event was triggered by a different request, only a portion of which triggered sig-x - Whether things like TTL values remain constant, which could be an indicator of distributed attacks and/or IP spoofing (same source, different TTL = people not playing nice with your network) - Whether the source port changes, or increments using some pattern (used to identify common tools, take guesses at OS, etc.) - Which flags and options are set in IP/TCP headers, which can be very helpful in identifying common tools and scan types (such as the Nmap XMAS, etc.), as well as determining which types of evasion tactics are in use The list could go on for days. In brief, you'd be doing yourself a great disservice by implementing such a feature. Bits and bytes are small, and the information that is contained in each event will surely be invaluable, should you find yourself in the unfortunate position of having to piece together an attack. Cheers Keith -----Original Message----- From: Pedro Tedeschi [mailto:pedro.tedeschi () frb-par com] Sent: Thursday, August 29, 2002 10:13 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort Log Method Hi, If is possible to snort log just one unique event per IP? Like this The IP 1.1.1.1 have attacked 345 times on same signature "WEB-IIS cmd.exe access" But i want to log just one time this attack and discard the others attacks from this signature. Can i do this? Regards, Pedro Tedeschi
Current thread:
- Snort Log Method Pedro Tedeschi (Aug 29)
- Re: Snort Log Method Erek Adams (Aug 29)
- <Possible follow-ups>
- RE: Snort Log Method McCammon, Keith (Aug 29)