Snort mailing list archives
Re: Alerting on >n packets?
From: Martin Roesch <roesch () sourcefire com>
Date: Sun, 21 Oct 2001 23:38:45 -0400
That's a good feature suggestion, but it's not implemented in Snort at this time. It could probably be a nice feature for a post-processing system if you didn't want to modify Snort's source code. -Marty Joshua Thomas wrote:
Hello all. This is my first post to this list. I'm using snort at the University of Connecticut, where it may eventually be used university-wide to watch for attacks. We trigger lots of false postitives, espcially on the rules the don't check packet contents. My question is, can I write rules that will trigger after "n" number of packets that trigger another alert? For example, we have an FTP server which triggers almost all of the arachNIDS trojan rules, daily. However it only triggers each rule once or twice. Can I have it not generate an alert until 10, 50, or 100 of those packets are seen? Thanks in advance, Joshua F. Thomas Research Assistant | Fiber Optics Manufacturing Programmer | University Information Technology Services University of Connecticut Lab: 860-486-0624 thomasj () engr uconn edu http://www.engr.uconn.edu/ofmrl/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alerting on >n packets? Joshua Thomas (Oct 19)
- Re: Alerting on >n packets? Martin Roesch (Oct 21)
- <Possible follow-ups>
- RE: Alerting on >n packets? Lodin, Steven {GZ-Q~Mannheim} (Oct 22)
- RE: Alerting on >n packets? Fraser Hugh (Oct 22)