Re: Can I still log every packet when thresholding the alerts?

[Jason Haar <Jason.Haar () trimble co nz>]

On Wed, 2003-11-26 at 09:13, Williams Jon wrote:
> So, I was thinking, could I use a rule that has the threshold stuff set
> to generate only one alert every X minutes and then have a second rule
> that just logs any packet that matches the same criteria?  I vaguely

I think you may be trying too hard to make the snort thresholding do
something that's not its job.

What wrong with not using thresholding in snort, but instead to rely on
your alerting/paging interface to do thresholding?

That's what we do here. Snort logs to syslog and mysql, and swatch
watches the syslog file, and sends pages/etc when it sees interesting
stuff - but uses it's threshold option to limit how many (e.g. 1 every
ten minutes).

Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users