Snort mailing list archives

Re: Notification limitation

From: Jaime Nebrera <jnebrera () gmail com>
Date: Fri, 13 Jan 2012 21:20:21 +0100

Thanks Joel,

I will do ASAP

My I suggest you explain that in the docs? You reference it's done the same
way than in the past, but don't say what this is :D

Enviado desde mi iPhone

El 13/01/2012, a las 21:07, Joel Esler <jesler () sourcefire com> escribió:

In your threshold.conf file that is An include from your snort.conf.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Jan 13, 2012, at 1:44 PM, Jaime Nebrera <jnebrera () gmail com> wrote:

I'm aware of this, I just don't know were to put such configuration :)

Enviado desde mi iPhone

El 13/01/2012, a las 19:16, CleBeer <clebeer () gmail com> escribió:

Hi,
you can use this option in you snort.conf

-----
 event_filter \
        gen_id 0, sig_id 0, \
        type both, track by_src, \
        count 6, seconds 600
----

Take a look in the README.filters at snort source for more examples.


cheers

On Thu, Jan 12, 2012 at 8:20 AM, Jaime Nebrera < <jnebrera () gmail com>
jnebrera () gmail com> wrote:

  Hi all,

  Im aware this is a basic question but Im a bit lost.

  I would like to limit the number of alarms sent to a Snorby system in
a general way (not specific to a particular rule).

  Something like this:

  For a particular event send no more than 3 per minute AND 6 per 5 minutes

  I want to apply this limit to ALL rules and events, thus wont get
flooded by the same event many times in the same timeframe

  Of course this doesnt mean more events can reach the snorby box, but
they will be different rules, not the same

  My I ask how to do this?


------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
 <http://p.sf.net/sfu/rsa-sfdev2dev2>http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
Snort-devel mailing list
 <Snort-devel () lists sourceforge net>Snort-devel () lists sourceforge net
 <https://lists.sourceforge.net/lists/listinfo/snort-devel>
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit <http://blog.snort.org>http://blog.snort.org for the latest
news about Snort!




-- 
-----------------------------
Cleber S. Brandão
Mob. +55 11 9333-9429

<http://clebeerpub.blogspot.com>clebeerpub.blogspot.com
 <http://www.snort.org.br>www.snort.org.br
  ,, _
 o"    )~
   '' ''
<http://www.linkedin.com/in/clebeer>http://www.linkedin.com/in/clebeer
-----------------------------------

------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Notification limitation Jaime Nebrera (Jan 13)
- Re: Notification limitation CleBeer (Jan 13)
  - Re: Notification limitation Jaime Nebrera (Jan 13)
    - Re: Notification limitation Joel Esler (Jan 13)
    - Re: Notification limitation Jaime Nebrera (Jan 13)
    - Re: Notification limitation Joel Esler (Jan 13)
    - Re: Notification limitation Jaime Nebrera (Jan 16)