Snort mailing list archives
Metadata field in rules to identify target?
From: Williams Jon <WilliamsJonathan () JohnDeere com>
Date: Fri, 19 Feb 2010 14:04:31 -0600
While I was discussing snort rules with some friends, I got to thinking: would it be possible to add a metadata field to a snort rule that would allow me to identify which end of the conversation is the actual target of the activity (i.e. the source or destination IP address)? The reason this comes up is that Ill sometimes need to write rules where the source of the packet is actually the target of the attack, for example looking for a response that indicates that an attack succeeded. Much of the time, analysis tools presume that the source of the packet is the source of the attack, and in this case, its obviously not the case. With such a beast in place, I could focus on alerts/attacker, attackers/victim, etc. rather than the more mundane src/dst notation. Thoughts? Jon ------------------------------------ Data is the pollution of the information age. -- Bruce Schneier
Attachment:
PGP.sig
Description:
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Metadata field in rules to identify target? Williams Jon (Feb 19)
- Re: Metadata field in rules to identify target? Joel Esler (Feb 19)
- Re: Metadata field in rules to identify target? Matt Watchinski (Feb 19)
- Re: Metadata field in rules to identify target? Joel Esler (Feb 19)