Snort mailing list archives
Re: Noisy Rules
From: Mark.Schutzmann () Omron com
Date: Thu, 4 Mar 2004 12:48:21 -0600
Paul,
Try this as an example:
alert icmp $HOME_NET any -> any any (msg: "ALERT!!! Welchia Infection!!!
(Each Event=500)"; content: "|aaaa aaaa aaaa aaaa aaaa aaaa
aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|"; dsi
ze:64; itype: 8; icode: 0; threshold: type limit, track by_src, count 500,
seconds 300; classtype:trojan-activity; sid: 100000507; r
ev: 2;)
( I guess for the rest, you can use it to test your alerting... ;-) )
Regards,
Mark
"Paul Lane"
<paul_lane () supplyworks com> To: <snort-users () lists sourceforge net>
Sent by: cc:
snort-users-admin () lists sour Subject: [Snort-users] Noisy Rules
ceforge.net
03/04/2004 11:10 AM
I'm running Snort 2.1 with MSSQL, Acid and IIS on Windows 2003 server.
I have some rules that are chatty, but I want to keep them.
How do I set a limit to the number of notifications it will send me per
hour?
Thanks,
Paul Lane
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Noisy Rules Paul Lane (Mar 04)
- <Possible follow-ups>
- Re: Noisy Rules Mark . Schutzmann (Mar 04)
- RE: Noisy Rules Schmehl, Paul L (Mar 04)