RE: not detecting common intrusion

[Steve Halligan <giermo () geeksquad com>]

> You can't use a rule, since there's not a "X packets over Y 
> time" logic built
> into the rule parser.  You'd have to have some sort of 
> preprocessor similar to
> the portscan preprocessor to do that.

A while back I wrote up a patch to create a new ruletype I called a Trigger
rule that did exactly this.  The alert would fire if and only if the
signature got matched X times in Y seconds.  Perhaps someone would be
interested in re-visiting this idea?  I submitted two versions of the patch,
one based on the 1.8.x codebase and one on the 1.9/2.0 codebase.  They are
probably both out-of-date currently, and would need some tweaking to get
them to work, which I do not currently have time to do.

If there is any interest in this, I would be happy to forward the old
patches.  They can also found in the snort-devel archive.

-Steve


-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users