Re: Notification limitation

[Jaime Nebrera <jnebrera () gmail com>]

  Hi Joel,

  Surely I'm not reading it properly, but just checked the 2.4 section 
in the manual (fresh download) and I can't see the place were it states 
were to put the "configuration directives". The same applies for 
README.filter (CVS). In threshold.conf the first thing I see is that is 
deprecated so I didnt continue reading

On 13/01/12 22:00, Joel Esler wrote:
> It's both in README.filters, in threshold.conf, and the Snort Manual. 
> What docs are you referring to that it's not in?
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Jan 13, 2012, at 3:20 PM, Jaime Nebrera <jnebrera () gmail com 
> <mailto:jnebrera () gmail com>> wrote:
>
> > Thanks Joel,
> >
> > I will do ASAP
> >
> > My I suggest you explain that in the docs? You reference it's done 
> > the same way than in the past, but don't say what this is :D
> >
> > Enviado desde mi iPhone
> >
> > El 13/01/2012, a las 21:07, Joel Esler <jesler () sourcefire com 
> > <mailto:jesler () sourcefire com>> escribió:
> >
> > > In your threshold.conf file that is An include from your snort.conf.
> > >
> > > --
> > > Joel Esler
> > > Senior Research Engineer, VRT
> > > OpenSource Community Manager
> > > Sourcefire
> > >
> > > On Jan 13, 2012, at 1:44 PM, Jaime Nebrera <jnebrera () gmail com 
> > > <mailto:jnebrera () gmail com>> wrote:
> > >
> > > > I'm aware of this, I just don't know were to put such configuration :)
> > > >
> > > > Enviado desde mi iPhone
> > > >
> > > > El 13/01/2012, a las 19:16, CleBeer <clebeer () gmail com 
> > > > <mailto:clebeer () gmail com>> escribió:
> > > >
> > > > > Hi,
> > > > > you can use this option in you snort.conf
> > > > >
> > > > > -----
> > > > >  event_filter \
> > > > >         gen_id 0, sig_id 0, \
> > > > >         type both, track by_src, \
> > > > >         count 6, seconds 600
> > > > > ----
> > > > >
> > > > > Take a look in the README.filters at snort source for more examples.
> > > > >
> > > > >
> > > > > cheers
> > > > >
> > > > > On Thu, Jan 12, 2012 at 8:20 AM, Jaime Nebrera <jnebrera () gmail com 
> > > > > <mailto:jnebrera () gmail com>> wrote:
> > > > >
> > > > >       Hi all,
> > > > >
> > > > >       Im aware this is a basic question but Im a bit lost.
> > > > >
> > > > >       I would like to limit the number of alarms sent to a Snorby
> > > > >     system in
> > > > >     a general way (not specific to a particular rule).
> > > > >
> > > > >       Something like this:
> > > > >
> > > > >       For a particular event send no more than 3 per minute AND 6
> > > > >     per 5 minutes
> > > > >
> > > > >       I want to apply this limit to ALL rules and events, thus
> > > > >     wont get
> > > > >     flooded by the same event many times in the same timeframe
> > > > >
> > > > >       Of course this doesnt mean more events can reach the snorby
> > > > >     box, but
> > > > >     they will be different rules, not the same
> > > > >
> > > > >       My I ask how to do this?
> > > > >
> > > > >     ------------------------------------------------------------------------------
> > > > >     RSA(R) Conference 2012
> > > > >     Mar 27 - Feb 2
> > > > >     Save $400 by Jan. 27
> > > > >     Register now!
> > > > >     http://p.sf.net/sfu/rsa-sfdev2dev2
> > > > >     _______________________________________________
> > > > >     Snort-devel mailing list
> > > > >     Snort-devel () lists sourceforge net
> > > > >     <mailto:Snort-devel () lists sourceforge net>
> > > > >     https://lists.sourceforge.net/lists/listinfo/snort-devel
> > > > >
> > > > >     Please visit http://blog.snort.org for the latest news about
> > > > >     Snort!
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > -----------------------------
> > > > > Cleber S. Brandão
> > > > > Mob. +55 11 9333-9429
> > > > >
> > > > > clebeerpub.blogspot.com <http://clebeerpub.blogspot.com>
> > > > > www.snort.org.br <http://www.snort.org.br>
> > > > >   ,, _
> > > > >  o"    )~
> > > > >    '' ''
> > > > > http://www.linkedin.com/in/clebeer
> > > > > -----------------------------------
> > > > ------------------------------------------------------------------------------
> > > > RSA(R) Conference 2012
> > > > Mar 27 - Feb 2
> > > > Save $400 by Jan. 27
> > > > Register now!
> > > > http://p.sf.net/sfu/rsa-sfdev2dev2
> > > > _______________________________________________
> > > > Snort-devel mailing list
> > > > Snort-devel () lists sourceforge net 
> > > > <mailto:Snort-devel () lists sourceforge net>
> > > > https://lists.sourceforge.net/lists/listinfo/snort-devel
> > > >
> > > > Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!