Re: Alerting on >n packets?

[Martin Roesch <roesch () sourcefire com>]

That's a good feature suggestion, but it's not implemented in Snort at
this time.  It could probably be a nice feature for a post-processing
system if you didn't want to modify Snort's source code.

     -Marty

Joshua Thomas wrote:
> Hello all. This is my first post to this list.
> I'm using snort at the University of Connecticut, where it may eventually be
> used university-wide to watch for attacks.
>
> We trigger lots of false postitives, espcially on the rules the don't check
> packet contents. My question is, can I write rules that will trigger after
> "n" number of packets that trigger another alert? For example, we have an
> FTP server which triggers almost all of the arachNIDS trojan rules, daily.
> However it only triggers each rule once or twice. Can I have it not generate
> an alert until 10, 50, or 100 of those packets are seen?
>
> Thanks in advance,
>
> Joshua F. Thomas
> Research Assistant | Fiber Optics Manufacturing
> Programmer | University Information Technology Services
> University of Connecticut
> Lab: 860-486-0624
> thomasj () engr uconn edu
> http://www.engr.uconn.edu/ofmrl/
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users