Snort mailing list archives

Re: Only monitor high severity alerts

From: Jeremy Hoel <jthoel () gmail com>
Date: Fri, 2 Nov 2012 15:17:55 +0000

Well, what are you using to monitor the alerts?

Also, if you can look at the large number alerts, they might
false positives (ie: port scan proccessor, or IPC$ from file servers to
clients), and that's where tweaking the IP variables and disabling or
threshold (by ip) rules comes in.


On Fri, Nov 2, 2012 at 3:09 PM, Tom Voussure <tom.voussure () gmail com> wrote:

Hi,

I've installed Snort some days ago for the first time, so i'm still a
newby :-)

I've configured a SPAN port to monitor all our incoming/outgoing traffic
from the internet and got lots of alerts (around 50.000 in 3 days times).

As I can't review all of them, I would like to start concentrating on the
high severity alerts only, and let the medium and low severity alerts
untouched.

Is there an easy way to only monitor the high severity alerts or to
download only rules for high severity alerts?

Thanks !
tom


------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Only monitor high severity alerts Tom Voussure (Nov 02)
- Re: Only monitor high severity alerts Jeremy Hoel (Nov 02)
  - Re: Only monitor high severity alerts Tom Voussure (Nov 02)
    - Re: Only monitor high severity alerts Jeremy Hoel (Nov 02)
    - Re: Only monitor high severity alerts Tom Voussure (Nov 02)
    - Re: Only monitor high severity alerts JJC (Nov 02)
    - Re: Only monitor high severity alerts waldo kitty (Nov 02)