RE: Snort Log Method

["McCammon, Keith" <Keith.McCammon () eadvancemed com>]

Not that I'm aware.  While every alert that is generated for sig-x may look the same to you, they are in fact very 
different, and each one is relevant to an analyst.  Knowing that attacker-x triggered sig-x 345 times is somewhat 
useful, but even more useful is the payload information that tells you:
 
- Whether the same request triggered each event, or if each event was triggered by a different request, only a portion 
of which triggered sig-x
- Whether things like TTL values remain constant, which could be an indicator of distributed attacks and/or IP spoofing 
(same source, different TTL = people not playing nice with your network)
- Whether the source port changes, or increments using some pattern (used to identify common tools, take guesses at OS, 
etc.)
- Which flags and options are set in IP/TCP headers, which can be very helpful in identifying common tools and scan 
types (such as the Nmap XMAS, etc.), as well as determining which types of evasion tactics are in use
 
The list could go on for days.  In brief, you'd be doing yourself a great disservice by implementing such a feature.  
Bits and bytes are small, and the information that is contained in each event will surely be invaluable, should you 
find yourself in the unfortunate position of having to piece together an attack.
 
Cheers
 
Keith

-----Original Message-----
From: Pedro Tedeschi [mailto:pedro.tedeschi () frb-par com]
Sent: Thursday, August 29, 2002 10:13 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort Log Method


Hi,
 
If is possible to snort log just one unique event per IP?
 
Like this
 
The IP 1.1.1.1 have attacked 345 times on same signature "WEB-IIS cmd.exe access"
But i want to log just one time this attack and discard the others attacks from this signature.
 
Can i do this?
 
 
 
Regards,
 
Pedro Tedeschi