Snort mailing list archives

Re: Enormous amount of alerts

From: "Al Lewis \(allewi\) via Snort-devel" <snort-devel () lists snort org>
Date: Thu, 4 Jul 2019 14:07:54 +0000

Sounds like you want a threshold on the amount of alerts you receive within a given time (or count) of an event.

Check the documentation in the download for snort3


For snort2  you can check here:

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node35.html




Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>



From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Christian Leclerc <christian.leclerc () 
sphere3solutions com>
Date: Thursday, July 4, 2019 at 9:47 AM
To: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: [Snort-devel] Enormous amount of alerts

Hello guy's !
I have created a plugin in snort3 and it's very interesting how much data I can get for it.
The problem is that if for example, I start a torrent, it logs on every packet. The same alert is triggered for the 
same ip and the same source so many times.


Example:

2019-07-03 22:16:36
3
localhost
17.174.1.5:443<http://17.174.1.5:443>
(tcp) experimental TCP options found
2019-07-03 22:16:36
3
17.174.1.5:443<http://17.174.1.5:443>
localhost
(tcp) experimental TCP options found
2019-07-03 22:16:36
3
17.174.1.5:443<http://17.174.1.5:443>
localhost
(tcp) experimental TCP options found
2019-07-03 22:16:36
3
localhost
17.174.1.5:443<http://17.174.1.5:443>
(tcp) experimental TCP options found
2019-07-03 22:16:36
3
localhost
17.174.1.5:443<http://17.174.1.5:443>
(tcp) experimental TCP options found
2019-07-03 22:16:36
3
17.174.1.5:443<http://17.174.1.5:443>
localhost
(tcp) experimental TCP options found
2019-07-03 22:16:36
3
localhost
17.174.1.5:443<http://17.174.1.5:443>
(tcp) experimental TCP options found
2019-07-03 22:16:36
3
17.174.1.5:443<http://17.174.1.5:443>
localhost
(tcp) experimental TCP options found
2019-07-03 22:16:36
3
17.174.1.5:443<http://17.174.1.5:443>
localhost
(tcp) experimental TCP options found
2019-07-03 22:16:36
3
localhost
17.174.1.5:443<http://17.174.1.5:443>
(tcp) experimental TCP options found
2019-07-03 22:16:36
3
localhost
17.174.1.5:443<http://17.174.1.5:443>
(tcp) experimental TCP options found
2019-07-03 22:16:36
3
17.174.1.5:443<http://17.174.1.5:443>
localhost
(tcp) experimental TCP options found
2019-07-03 22:16:36
3
localhost
17.174.1.5:443<http://17.174.1.5:443>
(tcp) experimental TCP options found
2019-07-03 22:16:36
3
17.174.1.5:443<http://17.174.1.5:443>
localhost
(tcp) experimental TCP options found
2019-07-03 22:16:36
3
17.174.1.5:443<http://17.174.1.5:443>
localhost
(tcp) experimental TCP options found
2019-07-03 22:16:36
3
localhost
17.174.1.5:443<http://17.174.1.5:443>
(tcp) experimental TCP options found
Is someone know how to adjust the trigger in the configuration to alert only once if it's the same alerts for every 
other packets after ?

cheers,
Christian L.

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Enormous amount of alerts Christian Leclerc (Jul 04)
- Re: Enormous amount of alerts Al Lewis (allewi) via Snort-devel (Jul 04)