Snort mailing list archives

q about alerts

From: "Weber Mail" <Don () WeberOnTheWeb com>
Date: Thu, 30 May 2002 18:02:26 -0700

I want to be alerted when a specific event occurs, the rule i have made
triggers the alert correctly, however, it continues to alert like 4 or 5
times per second, my purpose is alerting upon a telnet connection to machine
x by machines, x,y and z then tcpdump
looks something like this

var telclients [192.168.1.3/32,111.222.111.222/32,1.2.2.4/32]
var telserver [192.168.1.1/24]
alert tcp $telclients any -> $telservers any (msg:"Telnet session in
progress";)
output log_tcpdump: telnets.log

I'd prefer an alert upon the initial connection, and an alert on any new
connection, but i currently get like 5 alerts per second, on just 1
connection.

any ideas

Don


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

sorry...upgrade question again Hugo Ferr (May 28)
- Re: sorry...upgrade question again Erek Adams (May 28)
  - Re: sorry...upgrade question again Hugo Ferr (May 29)
    - RE: sorry...upgrade question again Adam Migus (May 29)
    - Re: sorry...upgrade question again Hugo Ferr (May 30)
    - q about alerts Weber Mail (May 30)
    - Re: q about alerts Phil Wood (May 31)