Can I still log every packet when thresholding the alerts?

["Williams Jon" <WilliamsJonathan () JohnDeere com>]

I've been working on exception alerting using snort (i.e. alerting on
traffic inside a network that isn't sourced from or destined to that
subnet, unused protocols, etc.), and its worked rather well, too well,
in fact.  There are times, such as with Blaster/Welchia/SQL Slammer,
where the rules send out 25k alerts in 5 minutes.  On the one hand,
we're using the detail to determine what's going on (i.e. distinguishing
an actual Welchia infection from the Yahoo! Messenger cruft).  On the
other hand, my boss tends to frown on receiving a pager bill for 3
million pages in a month :-)

So, I was thinking, could I use a rule that has the threshold stuff set
to generate only one alert every X minutes and then have a second rule
that just logs any packet that matches the same criteria?  I vaguely
remember some discussions a while back about having multiple rule
matches, but I don't remember if the end result was the ability to have
the same packet initiate multiple distinct actions.

Thanks.

Jon



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users