RE: Time Based IDS Rules

["adam.w.hogan" <adam.w.hogan () delphi com>]

I think you would still want all those alerts.  If there are a lot of false positives then I think you need an analysis 
tool that will ignore or filter out alerts from a certain time of day.  That way you'll still have the information if 
you want to check it out, but can keep it flexible enough to analyze it easily and quickly.

-Adam.

-----Original Message-----
From: Josh Berry [mailto:josh.berry () netschematics com]
Sent: Monday, November 17, 2003 4:19 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Time Based IDS Rules


Has there ever been any discussion/development done on potentially adding
time options to IDS signatures?

Like the time module for IPTables, where you can specify days that the
rule will be active and the time of day?

This would be useful for instances where there are high degrees of false
positives at certain times of the day, but should not be any activity at
others.  In my company, we do a lot of development that triggers several
of the WEB-XXX rules during the day, but the kind of traffic I would never
expect to see at night.


-------------------------------------------------------
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

****************************************************************************************

Note: The information contained in this message may be privileged and confidential and thus protected from disclosure. 
If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication in error, please notify us immediately by 
replying to the message and deleting it from your computer. Thank you.

****************************************************************************************


-------------------------------------------------------
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users