Snort mailing list archives
Alerting on >n packets?
From: "Joshua Thomas" <thomasj () engr uconn edu>
Date: Fri, 19 Oct 2001 12:28:37 -0400
Hello all. This is my first post to this list. I'm using snort at the University of Connecticut, where it may eventually be used university-wide to watch for attacks. We trigger lots of false postitives, espcially on the rules the don't check packet contents. My question is, can I write rules that will trigger after "n" number of packets that trigger another alert? For example, we have an FTP server which triggers almost all of the arachNIDS trojan rules, daily. However it only triggers each rule once or twice. Can I have it not generate an alert until 10, 50, or 100 of those packets are seen? Thanks in advance, Joshua F. Thomas Research Assistant | Fiber Optics Manufacturing Programmer | University Information Technology Services University of Connecticut Lab: 860-486-0624 thomasj () engr uconn edu http://www.engr.uconn.edu/ofmrl/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alerting on >n packets? Joshua Thomas (Oct 19)
- Re: Alerting on >n packets? Martin Roesch (Oct 21)
- <Possible follow-ups>
- RE: Alerting on >n packets? Lodin, Steven {GZ-Q~Mannheim} (Oct 22)
- RE: Alerting on >n packets? Fraser Hugh (Oct 22)