Snort mailing list archives

Re: New rules keyword error

From: "Marc Quibell" <mquibell () fbfs com>
Date: Fri, 24 Oct 2003 08:57:15 -0500




Good point John. Recently, that did happen to me, where I got a "flood" of new
alerts. (testing or auto-updating, you still get the flood.) This flood
consisted of 8000 alerts. So I deleted them after filtering them in my
pass.rules. Problem solved. There is no flood I can't handle, I mean when this
Blaster thing came along, I had to delete 300,000 alerts at a time, and these
were not "False alerts"! I've had more problems with good alerts than with bad
ones!  No big deal, Snort still chugs along fine. And I've made sure I can do
mass-deletes with no problems...

Message: 3
Date: Thu, 23 Oct 2003 16:42:23 -0500
From: "John Creegan" <jcreegan () questarweb com>
To: <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] New rules keyword error

This is exactly what I was thinking.  Not hard at all.  However, Chris
Green has made (for me) a really good point.  What if the new ruleset
tests fine, snort starts up, and something unique to your (or mine, or
anyone's) environment causes a flood of alerts because of new rule(s)?

Though I was seriously thinking about creating a script to do just that
(I've only been working with snort for the last few months and hadn't
gotten that far yet) I can't ignore Chris's question (thanks, Chris!).
A flood of alerts due to a new rule isn't something I had thought of,
and I wasn't in the archives because I wasn't looking for a solution to
a problem.

Hmmm... I seem to be learning that the archives are of use for more
than just solution-hunting, and can be taken as a sort of compendium of
all human, (err, sorry about the "Time Machine" reference there :-)
snort knowledge.





-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: New rules keyword error, (continued)
- Re: New rules keyword error Marc Quibell (Oct 22)
- Re: New rules keyword error Marc Quibell (Oct 23)
  - Re: New rules keyword error Frank Knobbe (Oct 23)
    - Re: New rules keyword error Josh Berry (Oct 28)
- Re: New rules keyword error John Creegan (Oct 23)
  - Re: New rules keyword error Andreas Östling (Oct 23)
    - Re: New rules keyword error Jason Haar (Oct 24)
  - Re: New rules keyword error Chris Green (Oct 24)
- Re: New rules keyword error John Creegan (Oct 23)
  - Re: New rules keyword error Jeff Nathan (Oct 25)
- Re: New rules keyword error Marc Quibell (Oct 24)
- Re: New rules keyword error Marc Quibell (Oct 24)
  - Re: New rules keyword error Jeff Nathan (Oct 24)
- Re: New rules keyword error Marc Quibell (Oct 24)
  - Re: New rules keyword error Chris Green (Oct 24)