Snort mailing list archives
Can I still log every packet when thresholding the alerts?
From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Tue, 25 Nov 2003 14:13:17 -0600
I've been working on exception alerting using snort (i.e. alerting on traffic inside a network that isn't sourced from or destined to that subnet, unused protocols, etc.), and its worked rather well, too well, in fact. There are times, such as with Blaster/Welchia/SQL Slammer, where the rules send out 25k alerts in 5 minutes. On the one hand, we're using the detail to determine what's going on (i.e. distinguishing an actual Welchia infection from the Yahoo! Messenger cruft). On the other hand, my boss tends to frown on receiving a pager bill for 3 million pages in a month :-) So, I was thinking, could I use a rule that has the threshold stuff set to generate only one alert every X minutes and then have a second rule that just logs any packet that matches the same criteria? I vaguely remember some discussions a while back about having multiple rule matches, but I don't remember if the end result was the ability to have the same packet initiate multiple distinct actions. Thanks. Jon ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can I still log every packet when thresholding the alerts? Williams Jon (Nov 25)
- Re: Can I still log every packet when thresholding the alerts? Jason Haar (Nov 25)