Snort mailing list archives
Re: Another Snort Rules Question
From: Erik Fichtner <emf () servervault com>
Date: Wed, 8 Sep 2004 20:36:06 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Sep 08, 2004 at 01:11:45PM -0700, Scott Elgram wrote:
Erik, Thankyou for that, I looked into and it may just be what I need, however......is there a way i can set so it logs like normal, with the queue, but stops if a particular rule is found true?
MMmmmmm.... not off the top of my head.. I know it will order the alerts by priority, but it's not a cumulative thing, but with a relatively minor modification to the source, you could set it up so that each priority event had a weight to it; e.g: priority 1 events weigh 100 points priority 2 events weigh 50 points priority 3 events weigh 25 points ...and so on, and then, this proposed modification could then be set so that it only will log "125 points" worth of events. Then, you could theoretically change the priorities on your rules so that it worked the way you wanted. ...it's just a thought, and I don't know if it's even a very good one.. I can't actually see much use for having a half-functional event_queue.. Personally, I would want either the one best-match rule (e.g: "config event_queue: log 1 order_events content_length") or use some external correlator that isn't bothered too deeply by having multiple events fire. Again, that's may just be my own personal bias. - -- Erik Fichtner Principal Engineer, Information Security, ServerVault Corp. 703-652-5900 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD4DBQFBP6V2Q7EzrewLMS0RAsKoAJY3T3qQkQo72Zpnha7M+dn9QVJIAKCi9DBQ 9RB/0YEVtrZqgIviPdmcfg== =1LXJ -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Another Snort Rules Question Scott Elgram (Sep 07)
- Re: Another Snort Rules Question Erik Fichtner (Sep 07)
- Re: Another Snort Rules Question Scott Elgram (Sep 08)
- Re: Another Snort Rules Question Erik Fichtner (Sep 08)
- ADDENDUM: Re: Another Snort Rules Question Erik Fichtner (Sep 08)
- Re: Another Snort Rules Question Scott Elgram (Sep 08)
- Re: Another Snort Rules Question Erik Fichtner (Sep 07)