Snort mailing list archives
q about alerts
From: "Weber Mail" <Don () WeberOnTheWeb com>
Date: Thu, 30 May 2002 18:02:26 -0700
I want to be alerted when a specific event occurs, the rule i have made triggers the alert correctly, however, it continues to alert like 4 or 5 times per second, my purpose is alerting upon a telnet connection to machine x by machines, x,y and z then tcpdump looks something like this var telclients [192.168.1.3/32,111.222.111.222/32,1.2.2.4/32] var telserver [192.168.1.1/24] alert tcp $telclients any -> $telservers any (msg:"Telnet session in progress";) output log_tcpdump: telnets.log I'd prefer an alert upon the initial connection, and an alert on any new connection, but i currently get like 5 alerts per second, on just 1 connection. any ideas Don _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sorry...upgrade question again Hugo Ferr (May 28)
- Re: sorry...upgrade question again Erek Adams (May 28)
- Re: sorry...upgrade question again Hugo Ferr (May 29)
- RE: sorry...upgrade question again Adam Migus (May 29)
- Re: sorry...upgrade question again Hugo Ferr (May 30)
- q about alerts Weber Mail (May 30)
- Re: q about alerts Phil Wood (May 31)
- Re: sorry...upgrade question again Hugo Ferr (May 29)
- Re: sorry...upgrade question again Erek Adams (May 28)