Snort mailing list archives
Re: Only monitor high severity alerts
From: Jeremy Hoel <jthoel () gmail com>
Date: Fri, 2 Nov 2012 15:17:55 +0000
Well, what are you using to monitor the alerts? Also, if you can look at the large number alerts, they might false positives (ie: port scan proccessor, or IPC$ from file servers to clients), and that's where tweaking the IP variables and disabling or threshold (by ip) rules comes in. On Fri, Nov 2, 2012 at 3:09 PM, Tom Voussure <tom.voussure () gmail com> wrote:
Hi, I've installed Snort some days ago for the first time, so i'm still a newby :-) I've configured a SPAN port to monitor all our incoming/outgoing traffic from the internet and got lots of alerts (around 50.000 in 3 days times). As I can't review all of them, I would like to start concentrating on the high severity alerts only, and let the medium and low severity alerts untouched. Is there an easy way to only monitor the high severity alerts or to download only rules for high severity alerts? Thanks ! tom ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Only monitor high severity alerts Tom Voussure (Nov 02)
- Re: Only monitor high severity alerts Jeremy Hoel (Nov 02)
- Re: Only monitor high severity alerts Tom Voussure (Nov 02)
- Re: Only monitor high severity alerts Jeremy Hoel (Nov 02)
- Re: Only monitor high severity alerts Tom Voussure (Nov 02)
- Re: Only monitor high severity alerts JJC (Nov 02)
- Re: Only monitor high severity alerts waldo kitty (Nov 02)
- Re: Only monitor high severity alerts Tom Voussure (Nov 02)
- Re: Only monitor high severity alerts Jeremy Hoel (Nov 02)