Snort mailing list archives

RE: Alerting on >n packets?

From: "Lodin, Steven {GZ-Q~Mannheim}" <STEVEN.LODIN () Roche COM>
Date: Mon, 22 Oct 2001 08:22:52 +0200

I would change the topic to "Alerting on >n events".

This is something I tried to do, but failed in ISS.  Either the product didn't support thresholds or I couldn't find it 
in the documentation.  The situation was the following:

N events in K time is normal behaviour
10N events in K time is a warning level
100N events in K time is an active attack requiring immediate response

To accomplish this, I fed all events to a Tivoli Distributed Monitoring system using SNMP.  Tivoli did the event 
collection and thresholding.  When it reached its trigger points, then the Tivoli response system dished out the 
appropriate emails and pages.


That's a good feature suggestion, but it's not implemented in Snort at
this time.  It could probably be a nice feature for a post-processing
system if you didn't want to modify Snort's source code.


I agree that it would be a nice feature, but not in the core code.  I would advocate doing in the post-processing 
system.

Steve Lodin
Head of Global IT Security and Risk Management
Roche Diagnostics GmbH
(W) +49-621-759-5276
(M) +49-173-348-4974

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Alerting on >n packets? Joshua Thomas (Oct 19)
- Re: Alerting on >n packets? Martin Roesch (Oct 21)
- <Possible follow-ups>
- RE: Alerting on >n packets? Lodin, Steven {GZ-Q~Mannheim} (Oct 22)
- RE: Alerting on >n packets? Fraser Hugh (Oct 22)