Snort mailing list archives

Re: Snort Log Method

From: Erek Adams <erek () theadamsfamily net>
Date: Thu, 29 Aug 2002 07:46:56 -0700 (PDT)

On Thu, 29 Aug 2002, Pedro Tedeschi wrote:

If is possible to snort log just one unique event per IP?

No.

Like this

The IP 1.1.1.1 have attacked 345 times on same signature "WEB-IIS cmd.exe access"
But i want to log just one time this attack and discard the others attacks from this signature.

Can i do this?


Snort logs each and every event as a induvidual alert.  They are _different_
each time it goes off.  Even if you do get 500 CRII attacks, each packet is
different.  Therefore, each time it happens, it will generate an alert.

Now, what you _can_ do is use a log tool.  There is a tool called
snort_stat.pl that will read a logfile, and condense it.  You could then have
it emailed to you.  It gives a breakdown of events and the number of times it
occoured, among others.  IIRC, there is a version in the contrib dir in the
tarball.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Log Method Pedro Tedeschi (Aug 29)
- Re: Snort Log Method Erek Adams (Aug 29)
- <Possible follow-ups>
- RE: Snort Log Method McCammon, Keith (Aug 29)