Snort mailing list archives
Re: correlation on a snort sensor
From: Erek Adams <erek () theadamsfamily net>
Date: Sun, 14 Apr 2002 18:54:22 -0700 (PDT)
On Tue, 9 Apr 2002, Sven Humm wrote:
Is there a way to fire one alert only if a signature matches more than "n" times on a specific signature that came from the same IP ?
Currently, I don't know of one.
For exmaple: I only wan't one alert fired, if my sensor matches more than 5 times during 30 seconds to the same signature...and of course white the same IP. (like a trigger) In my opinion that should be possible to solve on the sensor....but i never saw a sensor that can do that. There are some correlation systems that do this job...but it would be nice to define this things on the sensor.
The place and way to implement this would be with a plugin. You would have to maintain a list of all IP's, how often, how long would you hold them, etc., etc., etc. and then generate the alert from the preprocessor. This is very similar to the wayt that spp_portscan.c is working now. Might want to have a look at that. Good luck! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- correlation on a snort sensor Sven Humm (Apr 14)
- Re: correlation on a snort sensor Erek Adams (Apr 14)