Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Alert only when n number of rule matches rcvd

From: Erek Adams <erek () snort org>
Date: Thu, 13 Feb 2003 09:08:33 -0500 (EST)
On Wed, 12 Feb 2003, Jason Linden wrote:


I am trying to setup an rule that will only generate an alert if n
number of packets are received in n number of seconds.  IE like everyone
else we receive a large number of false positive 'ICMP Destination
Unreachable' alerts.  I would like to configure snort to only generate
an alert if say 30 of these packets are rcvd in 30 seconds.  Is there
any way to do this?


Nope.

You'd need to use swatch for something like that.

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: