RE: not detecting common intrusion

[Cearns Angela <acearns () yahoo com>]

Yes, Steve:

I'd love to look into your idea, could you please
forward me the patches?

Thanks,
Ang
--- Steve Halligan <giermo () geeksquad com> wrote:
> > You can't use a rule, since there's not a "X
> packets over Y 
> > time" logic built
> > into the rule parser.  You'd have to have some sort
> of 
> > preprocessor similar to
> > the portscan preprocessor to do that.
>
> A while back I wrote up a patch to create a new
> ruletype I called a Trigger
> rule that did exactly this.  The alert would fire if
> and only if the
> signature got matched X times in Y seconds.  Perhaps
> someone would be
> interested in re-visiting this idea?  I submitted
> two versions of the patch,
> one based on the 1.8.x codebase and one on the
> 1.9/2.0 codebase.  They are
> probably both out-of-date currently, and would need
> some tweaking to get
> them to work, which I do not currently have time to
> do.
>
> If there is any interest in this, I would be happy
> to forward the old
> patches.  They can also found in the snort-devel
> archive.
>
> -Steve


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com


-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users