Snort mailing list archives
Re: Snort Log Method
From: Erek Adams <erek () theadamsfamily net>
Date: Thu, 29 Aug 2002 07:46:56 -0700 (PDT)
On Thu, 29 Aug 2002, Pedro Tedeschi wrote:
If is possible to snort log just one unique event per IP?
No.
Like this The IP 1.1.1.1 have attacked 345 times on same signature "WEB-IIS cmd.exe access" But i want to log just one time this attack and discard the others attacks from this signature. Can i do this?
Snort logs each and every event as a induvidual alert. They are _different_ each time it goes off. Even if you do get 500 CRII attacks, each packet is different. Therefore, each time it happens, it will generate an alert. Now, what you _can_ do is use a log tool. There is a tool called snort_stat.pl that will read a logfile, and condense it. You could then have it emailed to you. It gives a breakdown of events and the number of times it occoured, among others. IIRC, there is a version in the contrib dir in the tarball. Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Log Method Pedro Tedeschi (Aug 29)
- Re: Snort Log Method Erek Adams (Aug 29)
- <Possible follow-ups>
- RE: Snort Log Method McCammon, Keith (Aug 29)