Snort mailing list archives
RE: Time Based IDS Rules
From: "adam.w.hogan" <adam.w.hogan () delphi com>
Date: Tue, 18 Nov 2003 08:05:12 -0500
I think you would still want all those alerts. If there are a lot of false positives then I think you need an analysis tool that will ignore or filter out alerts from a certain time of day. That way you'll still have the information if you want to check it out, but can keep it flexible enough to analyze it easily and quickly. -Adam. -----Original Message----- From: Josh Berry [mailto:josh.berry () netschematics com] Sent: Monday, November 17, 2003 4:19 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Time Based IDS Rules Has there ever been any discussion/development done on potentially adding time options to IDS signatures? Like the time module for IPTables, where you can specify days that the rule will be active and the time of day? This would be useful for instances where there are high degrees of false positives at certain times of the day, but should not be any activity at others. In my company, we do a lot of development that triggers several of the WEB-XXX rules during the day, but the kind of traffic I would never expect to see at night. ------------------------------------------------------- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users **************************************************************************************** Note: The information contained in this message may be privileged and confidential and thus protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. **************************************************************************************** ------------------------------------------------------- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Time Based IDS Rules Josh Berry (Nov 17)
- <Possible follow-ups>
- RE: Time Based IDS Rules adam.w.hogan (Nov 18)