Re: correlation on a snort sensor

[Erek Adams <erek () theadamsfamily net>]

On Tue, 9 Apr 2002, Sven Humm wrote:

> Is there a way to fire one alert only if a signature matches more than
> "n" times on a specific signature that came from the same IP ?

Currently, I don't know of one.

> For exmaple:
> I only wan't one alert fired, if my sensor matches more than 5 times
> during 30 seconds to the same signature...and of course white the same
> IP. (like a trigger)
>
> In my opinion that should be possible to solve on the sensor....but i
> never saw a sensor that can do that.
> There are some correlation systems that do this job...but it would be
> nice to define this things on the sensor.

The place and way to implement this would be with a plugin.  You would have to
maintain a list of all IP's, how often, how long would you hold them, etc.,
etc., etc. and then generate the alert from the preprocessor.  This is very
similar to the wayt that spp_portscan.c is working now.  Might want to have a
look at that.

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users