Snort mailing list archives
Re: Alert only when n number of rule matches rcvd
From: Erek Adams <erek () snort org>
Date: Thu, 13 Feb 2003 09:08:33 -0500 (EST)
On Wed, 12 Feb 2003, Jason Linden wrote:
I am trying to setup an rule that will only generate an alert if n number of packets are received in n number of seconds. IE like everyone else we receive a large number of false positive 'ICMP Destination Unreachable' alerts. I would like to configure snort to only generate an alert if say 30 of these packets are rcvd in 30 seconds. Is there any way to do this?
Nope. You'd need to use swatch for something like that. ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert only when n number of rule matches rcvd Jason Linden (Feb 12)
- <Possible follow-ups>
- Alert only when n number of rule matches rcvd Jason Linden (Feb 13)
- Re: Alert only when n number of rule matches rcvd Erek Adams (Feb 13)