Snort mailing list archives
Re: Feature request: thresholds need another counter?
From: Frank Knobbe <frank () knobbe us>
Date: Thu, 18 Mar 2004 10:59:19 -0600
On Wed, 2004-03-17 at 07:20, Jason wrote:
I disagree, yes, from a technical standpoint, we (as in my place of employment) only care about the fact the machine is infected, or not, and if you get 1000 hits a min, thats a good indication, however there are those we report to, who want numbers, and statistics, losing those is just as bad from a management standpoint, even more so where I work as they are very much into numbers...
Also, if you use thresholding to squelch out noisy signatures, you (obviously) won't detect the careful and less noisy attack that might trigger the same signature. If you squelch an alert, a single, slightly different crafted packet, could compromise the system and you wouldn't even know about it.
Now ideally, if someone came up with a nice realtime console, then not having to worry about thresholding, and have a console that consolidates the alerts (for example show the alert,then drilldown into the alert to get the source count, and then drilling down on the source would show all the source -> detination relationships would be even better, disk space is not an issue for me, db performance is, but I have managed to get around that a little bit, the issue is the multitude of alerts we get, and how to get rid of the fluff.
Something I thought of was to create a module that takes a certain number of alerts and tries to identify a group as belonging to one cause. The best example is Nimda which triggers a series of signatures. The module could identify those alerts are a Nimda attack and instead of showing 10 IIS related alerts just show one Nimda attack alert. I'm trying to solve this on our custom backend by combing the database and rewriting entries there. I'm not sure if this could be solved as a preprocessor. I think the caching requirements to cache a large enough number of alerts are probably too high to do that in within Snort itself. Would be nice though, having a spp_attack or so that reduces the amount of alerts by identifying the program/virus/attack behind a series of sigs. Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Feature request: thresholds need another counter? Jason Haar (Mar 16)
- Re: Feature request: thresholds need another counter? Paul Schmehl (Mar 16)
- Re: Feature request: thresholds need another counter? Jason (Mar 17)
- Re: Feature request: thresholds need another counter? Frank Knobbe (Mar 18)
- Re: Feature request: thresholds need another counter? Paul Schmehl (Mar 19)
- Re: Feature request: thresholds need another counter? Jason Haar (Mar 20)
- Re: Feature request: thresholds need another counter? Jason (Mar 17)
- Re: Feature request: thresholds need another counter? Paul Schmehl (Mar 16)
- Re: Feature request: thresholds need another counter? Michael Boman (Mar 19)