Snort mailing list archives

Alerting on >n packets?

From: "Joshua Thomas" <thomasj () engr uconn edu>
Date: Fri, 19 Oct 2001 12:28:37 -0400

Hello all. This is my first post to this list.
I'm using snort at the University of Connecticut, where it may eventually be
used university-wide to watch for attacks.

We trigger lots of false postitives, espcially on the rules the don't check
packet contents. My question is, can I write rules that will trigger after
"n" number of packets that trigger another alert? For example, we have an
FTP server which triggers almost all of the arachNIDS trojan rules, daily.
However it only triggers each rule once or twice. Can I have it not generate
an alert until 10, 50, or 100 of those packets are seen?

Thanks in advance,

Joshua F. Thomas
Research Assistant | Fiber Optics Manufacturing
Programmer | University Information Technology Services
University of Connecticut
Lab: 860-486-0624
thomasj () engr uconn edu
http://www.engr.uconn.edu/ofmrl/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Alerting on >n packets? Joshua Thomas (Oct 19)
- Re: Alerting on >n packets? Martin Roesch (Oct 21)
- <Possible follow-ups>
- RE: Alerting on >n packets? Lodin, Steven {GZ-Q~Mannheim} (Oct 22)
- RE: Alerting on >n packets? Fraser Hugh (Oct 22)