Snort mailing list archives
Snort alert file boolean filter - anybody done this before?
From: Mike Ahern <mc_ahern () yahoo com>
Date: Thu, 7 Mar 2002 15:26:25 -0800 (PST)
We have a distributed security management system that reads and processes individual security events in the alert file and then forwards them on to a management console. I would like to prefilter the alerts in a boolean fashion where "X" type of alert to/from "Y" destination/source IP (and perhaps Y is a file list of IP's or an individual IP addr) - then the alert is not forwarded to another monitored snort alert file. For example, null sessions to DC's and other events that might be "normal" events can be disregarded, however if there are other null sessions beyond what is typical in my environment - it is still on my radar. The disregarded security events can still be logged locally on the snort box in the event of need to go back and pull the data. Has anyone already done this, or found something out there to do this? I'd like to be able to selectively tune down the noise with something like this. I have seen command line exclusion to ignore specific hosts, but I am looking to deal with this on the back-end of the snort IDS process (preserving local logging of all events), with a more granular control. Also, I am curious if anyone has a way to capture the actual destination for an HTTP event when local web proxies are used and are indicated as the destination IP address. I would like to indicate the actual web destination of the monitored traffic in the event logging. Has anyone got anything that will do this??? Or have any ideas on how to best implement this kind of thing? - Mike __________________________________________________ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort alert file boolean filter - anybody done this before? Mike Ahern (Mar 07)