Does "log" still alert?

["Schmehl, Paul L" <pauls () utdallas edu>]

I've created a rule for resetting connections that we don't want to
allow.  After making sure it worked, I changed the rule action from
alert to log.  I was expecting this to mean that I would no longer see
this rule showing up in ACID, but I still do.  What does log mean?  I
thought it meant log, but don't alert.

On a more general note, how do you handle the load of alerts you get?  I
see two ways.  Either you disable many of the standard rulesets, or you
customize them and don't update them very regularly.  Since I'm updating
rules daily, the second option really isn't any option.  Is there
another way to do it?  I'd rather not create a whole raft of custom
rules, but if I disable or alter one of the standard rules, it will just
be overwritten the next time that the rules are updated.

How are people handling that?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member 


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users