Snort mailing list archives
ICQ rules
From: "Grotenhuis, Eric" <Eric.Grotenhuis () safelite com>
Date: Mon, 26 Nov 2001 08:53:53 -0500
Has anyone looked into rewriting the ICQ rule in the present ruleset? Every time you open a new ICQ message or receive one, it can kick off up to 10 alerts. Get a dozen chatty users and you have a LOT of alerts quick. I'm a rule writing rookie, but maybe we can change the way this works. Maybe we can create a new rule that only logs the initial auth to ICQ's servers instead of every time it pulls down a banner? Just a thought. Eric Grotenhuis Network Analyst Safelite Glass Corp 614.798.2508
Current thread:
- ICQ rules Grotenhuis, Eric (Nov 26)