Snort mailing list archives
RE: not detecting common intrusion
From: Cearns Angela <acearns () yahoo com>
Date: Thu, 27 Jun 2002 11:52:20 -0700 (PDT)
Yes, Steve: I'd love to look into your idea, could you please forward me the patches? Thanks, Ang --- Steve Halligan <giermo () geeksquad com> wrote:
You can't use a rule, since there's not a "Xpackets over Ytime" logic built into the rule parser. You'd have to have some sortofpreprocessor similar to the portscan preprocessor to do that.A while back I wrote up a patch to create a new ruletype I called a Trigger rule that did exactly this. The alert would fire if and only if the signature got matched X times in Y seconds. Perhaps someone would be interested in re-visiting this idea? I submitted two versions of the patch, one based on the 1.8.x codebase and one on the 1.9/2.0 codebase. They are probably both out-of-date currently, and would need some tweaking to get them to work, which I do not currently have time to do. If there is any interest in this, I would be happy to forward the old patches. They can also found in the snort-devel archive. -Steve
__________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: not detecting common intrusion Steve Halligan (Jun 27)
- RE: not detecting common intrusion Cearns Angela (Jun 27)
- RE: not detecting common intrusion Cearns Angela (Jun 27)