Snort mailing list archives
Enormous amount of alerts
From: Christian Leclerc <christian.leclerc () sphere3solutions com>
Date: Thu, 4 Jul 2019 09:29:43 -0400
Hello guy's ! I have created a plugin in snort3 and it's very interesting how much data I can get for it. The problem is that if for example, I start a torrent, it logs on every packet. The same alert is triggered for the same ip and the same source so many times. Example: 2019-07-03 22:16:36 3 localhost 17.174.1.5:443 (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443 localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443 localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443 (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443 (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443 localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443 (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443 localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443 localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443 (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443 (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443 localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443 (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443 localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443 localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443 (tcp) experimental TCP options found Is someone know how to adjust the trigger in the configuration to alert only once if it's the same alerts for every other packets after ? cheers, Christian L.
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Enormous amount of alerts Christian Leclerc (Jul 04)
- Re: Enormous amount of alerts Al Lewis (allewi) via Snort-devel (Jul 04)