Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Feature request: thresholds need another counter?

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Sat, 20 Mar 2004 21:07:32 +1300
On Thu, Mar 18, 2004 at 11:22:44AM -0600, Paul Schmehl wrote:

Perhaps the ideal solution is to allow thresholding for *reporting* 
purposes, but log everything to the db?  But again, that should be backend 


What I'd like to see is if Snort sees 1 Nachi session, then capture the
entire session as normal, but then just log the number of times that same IP
is involved with Nachi sessions from then on (within limits set by the
threshold settings). That way you know IP address X.x.x.x sent 10,000 Nachi
sessions, but it only took up 1K of SQL dataspace. I don't care to see
10,000 packet captures all neatly logged by Snort - just the first one will
show all I need to see (after all, if the attack type was different enough
to matter, it either would have been missed by Snort or captured by a
different rule anyway). I just can't see any downside?


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: