Re: Feature request: thresholds need another counter?

["Paul Schmehl" <pauls () utdallas edu>]

----- Original Message ----- 
From: "Jason Haar" <Jason.Haar () trimble co nz>
To: <snort-users () lists sourceforge net>
Sent: Tuesday, March 16, 2004 9:45 PM
Subject: [Snort-users] Feature request: thresholds need another counter?
>

> I am in a dilemma. I want to move to thresholds so as to save my SQL
> databases from collapse, and yet at the same time I don't like loosing the
> details - such as what looks like  10 SLAMMER alerts @ 1 per minute was
> actually 10,000,000 alerts - but threshold reduced it down.
I guess my question would be, why should you care?  Case in point.  My rule
for Nachi thresholds at, IIRC, 1000 alerts in a 60 second period.  If I'm
getting that many alerts, I *know* it's Nachi.  I no longer have to wonder
if it's something else.  Once I *know* that, why do I care if this
particular instance sets off 250,000 alerts/hour whereas another infection
sets of 125,000/hour?  The fact is, the alert has done its job, and I don't
really need to know the precise numbers.

There may be cases where this is not true, however, so I think there's some
merit to your suggestion.  I'm just not sure how much.
:-)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users