Gene - SNĒZ looks very interesting, thanks! I am investigating whether SNĒZ may be relevant for a project on which I am working and have been reviewing your source.
I like your approach for persistent filters to enable auto-classification of alerts. I would need to add some functionality to SNĒZ in order to use it in my particular environment. In particular, I would need to modify the filters to allow for ranges of IP addresses for SRC and DST.
This is important in my environment as I have a large number of IP addresses in my environment so duplicating filters for each of these related systems would be onerous and error prone. Likewise, creating filters at the signature level without including groups of addresses would be insufficient as an inbound dictionary password attack is much less concerning than an outbound attack since inbound attacks happen nonstop.
Before I start experimenting, I wanted to check with you to determine if you have any insights, history, or suggestions on this topic.
A less important feature that I may subsequently investigate would be allowing for ranges or possibly groups of signatures to be specified in a filter.
Thanks in advance.
I think being able to specify a range would be a great enhancment!
On the signature group suggestion, I'm not quite sure how you envision the signature groups, unless you're thinking about basing it on Snort's rule 'classification'.
I have always thought that the ability to clone an existing filter would also be helpful. That would be a time saver, and a filter could be set without an actual fully matching alert.
As far as any insight goes, I don't think the logic for ip ranges would be all that difficult, but the database would have to be expanded and every page having an ipaddress would have to be changed. So I don't think it would be completely trivial either. But it certaily would kick SNEZ to the next level.
If I tackle this, I'll update here and in the wiki. Also, feel free to submit code to the project. I can always use the help.
Thanks, Brent, for your interest in SNEZ and for the suggestions. Hope my reply was helpful, and let me know if I can point you in some specific direction around the code.
SNEZ 1.9 is in development with support for ip address ranges. Look for the bleeding edge alpha release in the coming days.
SNEZ 1.9 alpha released today in the bleeeding edge folder. Thank you for using and testing SNEZ.