Snort mailing list archives

Previous By Date Next
Previous By Thread Next

correlation on a snort sensor

From: "Sven Humm" <svenhumm () hotmail com>
Date: Tue, 09 Apr 2002 07:23:49 +0000
Hi

Is there a way to fire one alert only if a signature matches more than
"n" times on a specific signature that came from the same IP ?


For exmaple:
I only wan't one alert fired, if my sensor matches more than 5 times
during 30 seconds to the same signature...and of course white the same
IP. (like a trigger)

In my opinion that should be possible to solve on the sensor....but i
never saw a sensor that can do that.
There are some correlation systems that do this job...but it would be
nice to define this things on the sensor.

any help, suggestion, comments or ideas are welcome

thanks in advance

Sven




_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: