Snort mailing list archives
RE: Alerting on >n packets?
From: "Lodin, Steven {GZ-Q~Mannheim}" <STEVEN.LODIN () Roche COM>
Date: Mon, 22 Oct 2001 08:22:52 +0200
I would change the topic to "Alerting on >n events". This is something I tried to do, but failed in ISS. Either the product didn't support thresholds or I couldn't find it in the documentation. The situation was the following: N events in K time is normal behaviour 10N events in K time is a warning level 100N events in K time is an active attack requiring immediate response To accomplish this, I fed all events to a Tivoli Distributed Monitoring system using SNMP. Tivoli did the event collection and thresholding. When it reached its trigger points, then the Tivoli response system dished out the appropriate emails and pages.
That's a good feature suggestion, but it's not implemented in Snort at this time. It could probably be a nice feature for a post-processing system if you didn't want to modify Snort's source code.
I agree that it would be a nice feature, but not in the core code. I would advocate doing in the post-processing system. Steve Lodin Head of Global IT Security and Risk Management Roche Diagnostics GmbH (W) +49-621-759-5276 (M) +49-173-348-4974 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alerting on >n packets? Joshua Thomas (Oct 19)
- Re: Alerting on >n packets? Martin Roesch (Oct 21)
- <Possible follow-ups>
- RE: Alerting on >n packets? Lodin, Steven {GZ-Q~Mannheim} (Oct 22)
- RE: Alerting on >n packets? Fraser Hugh (Oct 22)