[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    [Snort-users] Snort alerts and extra information
From:       Kanan Alkanan via Snort-users <snort-users () lists ! snort ! org>
Date:       2017-09-20 4:36:00
Message-ID: CY4PR01MB3301B66E22BC1E2ABA881580EC610 () CY4PR01MB3301 ! prod ! exchangelabs ! com
[Download RAW message or body]

I am using snort to detect some bad traffic in our system, however, I need =
to add more information to the logged alerts such as to which tenant the at=
tacker's ip address belongs, the network id? Assuming I have multiple tenan=
t however all private ips are duplicated over tenants, so it is not possibl=
e to tell which node cause the attack, so I am thinking to include the tena=
nt id, network id which are unique to each tenant and then attach the priva=
te ip of attacker to the proper tenant. Current snort alerts will not provi=
de these information, any help will be appreciated!


Can I modify snort.conf for this

[Attachment #3 (text/html)]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} \
--></style> </head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <p style="margin: 0px 0px 1em; padding: 0px; border: 0px; \
font-variant-numeric: inherit; font-stretch: inherit; font-size: 15px; line-height: \
inherit; font-family: Arial, &quot;Helvetica Neue&quot;, Helvetica, sans-serif; \
vertical-align: baseline; clear: both; color: rgb(36, 39, 41);"> I am using snort to \
detect some bad traffic in our system, however, I need to add more information to the \
logged alerts such as to which tenant the attacker's ip address belongs, the network \
id? Assuming I have multiple tenant however all private ips are duplicated  over \
tenants, so it is not possible to tell which node cause the attack, so I am thinking \
to include the tenant id, network id which are unique to each tenant and then attach \
the private ip of attacker to the proper tenant. Current snort alerts will not \
provide  these information, any help will be appreciated!</p>
<p style="margin: 0px 0px 1em; padding: 0px; border: 0px; font-variant-numeric: \
inherit; font-stretch: inherit; font-size: 15px; line-height: inherit; font-family: \
Arial, &quot;Helvetica Neue&quot;, Helvetica, sans-serif; vertical-align: baseline; \
clear: both; color: rgb(36, 39, 41);"> <br>
</p>
<p style="margin: 0px 0px 1em; padding: 0px; border: 0px; font-variant-numeric: \
inherit; font-stretch: inherit; font-size: 15px; line-height: inherit; font-family: \
Arial, &quot;Helvetica Neue&quot;, Helvetica, sans-serif; vertical-align: baseline; \
clear: both; color: rgb(36, 39, 41);"> Can I modify snort.conf for this&nbsp;</p>
</div>
</body>
</html>



_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

--===============7280519122962928311==--

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic