Snort Auto Block feature Prob/possible Enhancement?
-
I really enjoy using Snort and do have it auto blocking enabled. (thanks to all those that have supported that package)
I have quite a few rules enabled so I can see what is going on and keep tabs of alerts that Snort Identifies. As many of you know, Snort does flag things that are legit and the false positives do get blocked unfortunately. Yes I can identify by IP/device and white list it if needed but that isnt exactly the resolution I am looking for.
I would like to block all of the severe threats that Snort is monitoring and on some of the lesser ones, I would still like to see the alert and that way I can investigate when needed but dont have snort adding that to the blocked list.
Unless I missed it, the only option that I could find in the settings either blocks all alerts automatically or none at all. If the option does exists and I missed it, please let me know (yes I will hang my head in shame for missing it) and if it doesn't, is there a way to get that feature added to Snort?
I would like to specify which alert groups are automatically added to the block list and which ones are not. (emerging threats vs just a snort shell86 code alert grouping vs stuff identified as messenger code threats aka mumble).
Furthermore, in a dream land it would be nice to even specify the duration to block on each grouping of alerts being monitored For some, since it may be an alert that may cause a false positive to have that set to 3 hours or so, but the more severe ones to never remove them from the block list. I know that would be probably require more logic/code to be written and would understand if the latter was not going to be possible. The main thing I would like to be able to do though is at least flag which ones to block and which ones not to block automatically. This way I can log some alerts for informational purposes only and not run the risk of a legit process/device being blocked.