custom snort rule for packet capture

[Le CON <matty_condon () hotmail com>]

Hey guys.,
so what I want to do is have custom rules which both a) updates the normal way via unified2 which is then passed to a 
db via by2 && b) dump those packets.
so basically if a known bad IP hits I want to know about it, and also get a full packet capture dump. BUT I dont want 
3,000 alerts for the 3000 packets - I want 1 alert or 1 alert per 5 minutes letting me know that we got touched by 
badness and packets are being dumped.
heres what I had -
 ruletype sensitive{type alertoutput unified2: filename snort.u2, limit 128, mpls_event_types, vlan_event_typesoutput 
log_tcpdump: sensitive.log}
sensitive ip any any <> any any (content:”secret”; nocase; msg:”packet containing ‘secret’”; classtype:sensitive; 
sid:80000001; rev:001;)sensitive ip 192.168.1.5 any <> any any (msg:”bad IP detected, dumping packets....”; 
classtype:sensitive; sid:80000002; rev:001;)





..ok so the problem is, it worked, but it flooded my normal events with about 3000 alerts everytime this 192.168.1.5 IP 
connected, as I said I only want it to alert once every 5mins or so.  I know I can do an in-rule threshold that limits 
alerts to once every 5 minutes by doing "threshold:type limit, count 1 , seconds 60;" but since the rule is tied also 
to tcpdump will that not cut the packet dump also??

anyone have any experience with this ?

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!