Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Another Snort Rules Question

From: Erik Fichtner <emf () servervault com>
Date: Wed, 8 Sep 2004 20:36:06 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Sep 08, 2004 at 01:11:45PM -0700, Scott Elgram wrote:

Erik,
    Thankyou for that, I looked into and it may just be what I need,
however......is there a way i can set so it logs like normal, with the
queue, but stops if a particular rule is found true?


MMmmmmm.... not off the top of my head..   I know it will order the
alerts by priority, but it's not a cumulative thing, but with a 
relatively minor modification to the source, you could set it up so that
each priority event had a weight to it; e.g:
        priority 1 events weigh 100 points
        priority 2 events weigh 50 points
        priority 3 events weigh 25 points
        ...and so on, 
and then, this proposed modification could then be set so that it only
will log "125 points" worth of events.    Then, you could theoretically
change the priorities on your rules so that it worked the way you wanted.

...it's just a thought, and I don't know if it's even a very good one..
I can't actually see much use for having a half-functional event_queue..
Personally, I would want either the one best-match rule 
(e.g: "config event_queue: log 1 order_events content_length") 
or use some external correlator that isn't bothered too deeply by having
multiple events fire.    Again, that's may just be my own personal bias.


- -- 
Erik Fichtner
Principal Engineer, Information Security, ServerVault Corp.
703-652-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD4DBQFBP6V2Q7EzrewLMS0RAsKoAJY3T3qQkQo72Zpnha7M+dn9QVJIAKCi9DBQ
9RB/0YEVtrZqgIviPdmcfg==
=1LXJ
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: