Snort mailing list archives
RE: Alerting on >n packets?
From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Mon, 22 Oct 2001 13:10:25 -0400
Have a look at sec.pl (Simple Event Correlation)at www.estpak.ee/~risto/sec/. It will do some of the basic time-based event correlation you're talking about, as well as multiple event relationships (ie. surpress further out-of-limit events until an in-limit event occurs). It can be configured to read from a pipe that Snort logs to.
-----Original Message----- From: Lodin, Steven {GZ-Q~Mannheim} [mailto:STEVEN.LODIN () Roche COM] Sent: Monday, October 22, 2001 2:23 AM To: 'Martin Roesch'; Joshua Thomas Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Alerting on >n packets? I would change the topic to "Alerting on >n events". This is something I tried to do, but failed in ISS. Either the product didn't support thresholds or I couldn't find it in the documentation. The situation was the following: N events in K time is normal behaviour 10N events in K time is a warning level 100N events in K time is an active attack requiring immediate response To accomplish this, I fed all events to a Tivoli Distributed Monitoring system using SNMP. Tivoli did the event collection and thresholding. When it reached its trigger points, then the Tivoli response system dished out the appropriate emails and pages.That's a good feature suggestion, but it's not implementedin Snort atthis time. It could probably be a nice feature for apost-processingsystem if you didn't want to modify Snort's source code.I agree that it would be a nice feature, but not in the core code. I would advocate doing in the post-processing system. Steve Lodin Head of Global IT Security and Risk Management Roche Diagnostics GmbH (W) +49-621-759-5276 (M) +49-173-348-4974 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alerting on >n packets? Joshua Thomas (Oct 19)
- Re: Alerting on >n packets? Martin Roesch (Oct 21)
- <Possible follow-ups>
- RE: Alerting on >n packets? Lodin, Steven {GZ-Q~Mannheim} (Oct 22)
- RE: Alerting on >n packets? Fraser Hugh (Oct 22)