Snort mailing list archives
Re: Snort-devel Digest, Vol 25, Issue 1
From: Christian Leclerc <christian.leclerc () sphere3solutions com>
Date: Thu, 4 Jul 2019 10:27:36 -0400
Hello Al
Thanks for the reply !! Yes it is exactly what I need for snort 3.
I know that with the documentation, I need to update this :
-- use latency to monitor / enforce packet and rule thresholds
latency =
{
packet = { max_time = 1500 },
rule = { max_time = 200 },
}
But my question is more related on , what would be the best values for
these latency parameter.
Christian Leclerc, CSSLP, CEH, OCMJEA, OCPJBCD, SCJP, ZCE
christian.leclerc () sphere3solutions com
Sphere 3 Solutions inc.
No. d'entreprise: 842171969
Tél.: 514-940-1067
http://www.sphere3solutions.com
*CONFIDENTIALITÉ* L'information apparaissant dans ce message électronique
est de nature légalement privilégiée et confidentielle. Si ce message vous
est parvenu par erreur et que vous n'êtes pas le destinataire visé, vous
êtes par les présentes avisé que tout usage, copie ou distribution de ce
message est strictement interdit. Vous êtes donc prié de nous informer
immédiatement de cette erreur et de détruire ce message.
*CONFIDENTIALITY* The information in this message is legally privileged and
confidential. In the event of a transmission error and if you are not the
individual or entity mentioned above, you are hereby advised that any use,
copying or reproduction of this document is strictly forbidden. Please
advise us of this error and destroy this message.
On Thu, Jul 4, 2019 at 10:11 AM <snort-devel-request () lists snort org> wrote:
Send Snort-devel mailing list submissions to snort-devel () lists snort org To subscribe or unsubscribe via the World Wide Web, visit https://lists.snort.org/mailman/listinfo/snort-devel or, via email, send a message with subject or body 'help' to snort-devel-request () lists snort org You can reach the person managing the list at snort-devel-owner () lists snort org When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-devel digest..." Today's Topics: 1. Enormous amount of alerts (Christian Leclerc) 2. Re: Enormous amount of alerts (Al Lewis (allewi)) ---------------------------------------------------------------------- Message: 1 Date: Thu, 4 Jul 2019 09:29:43 -0400 From: Christian Leclerc <christian.leclerc () sphere3solutions com> To: snort-devel () lists snort org Subject: [Snort-devel] Enormous amount of alerts Message-ID: <CA+VMzsKUoQ=Egv-XpnCd0PNqe_jLxOxbmzNyYUn4EWFr6= 1E+Q () mail gmail com> Content-Type: text/plain; charset="utf-8" Hello guy's ! I have created a plugin in snort3 and it's very interesting how much data I can get for it. The problem is that if for example, I start a torrent, it logs on every packet. The same alert is triggered for the same ip and the same source so many times. Example: 2019-07-03 22:16:36 3 localhost 17.174.1.5:443 (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443 localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443 localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443 (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443 (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443 localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443 (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443 localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443 localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443 (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443 (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443 localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443 (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443 localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443 localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443 (tcp) experimental TCP options found Is someone know how to adjust the trigger in the configuration to alert only once if it's the same alerts for every other packets after ? cheers, Christian L. -------------- next part -------------- An HTML attachment was scrubbed... URL: < https://lists.snort.org/pipermail/snort-devel/attachments/20190704/7edf3432/attachment-0001.html------------------------------ Message: 2 Date: Thu, 4 Jul 2019 14:07:54 +0000 From: "Al Lewis (allewi)" <allewi () cisco com> To: Christian Leclerc <christian.leclerc () sphere3solutions com>, "snort-devel () lists snort org" <snort-devel () lists snort org> Subject: Re: [Snort-devel] Enormous amount of alerts Message-ID: <1F77A857-7B5D-4CD3-9F73-6B0E543B47EE () cisco com> Content-Type: text/plain; charset="utf-8" Sounds like you want a threshold on the amount of alerts you receive within a given time (or count) of an event. Check the documentation in the download for snort3 For snort2 you can check here: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node35.html Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Christian Leclerc <christian.leclerc () sphere3solutions com> Date: Thursday, July 4, 2019 at 9:47 AM To: "snort-devel () lists snort org" <snort-devel () lists snort org> Subject: [Snort-devel] Enormous amount of alerts Hello guy's ! I have created a plugin in snort3 and it's very interesting how much data I can get for it. The problem is that if for example, I start a torrent, it logs on every packet. The same alert is triggered for the same ip and the same source so many times. Example: 2019-07-03 22:16:36 3 localhost 17.174.1.5:443<http://17.174.1.5:443> (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443<http://17.174.1.5:443> localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443<http://17.174.1.5:443> localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443<http://17.174.1.5:443> (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443<http://17.174.1.5:443> (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443<http://17.174.1.5:443> localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443<http://17.174.1.5:443> (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443<http://17.174.1.5:443> localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443<http://17.174.1.5:443> localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443<http://17.174.1.5:443> (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443<http://17.174.1.5:443> (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443<http://17.174.1.5:443> localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443<http://17.174.1.5:443> (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443<http://17.174.1.5:443> localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443<http://17.174.1.5:443> localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443<http://17.174.1.5:443> (tcp) experimental TCP options found Is someone know how to adjust the trigger in the configuration to alert only once if it's the same alerts for every other packets after ? cheers, Christian L. -------------- next part -------------- An HTML attachment was scrubbed... URL: < https://lists.snort.org/pipermail/snort-devel/attachments/20190704/243c0d51/attachment.html------------------------------ Subject: Digest Footer _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel ------------------------------ End of Snort-devel Digest, Vol 25, Issue 1 ******************************************
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Snort-devel Digest, Vol 25, Issue 1 Christian Leclerc (Jul 04)
- Re: Snort-devel Digest, Vol 25, Issue 1 Al Lewis (allewi) via Snort-devel (Jul 04)