[Snort-devel] Alerting after Threshold/Suppression

Justin Mitchell tcpandip at ...2499...
Wed Apr 11 11:53:55 EDT 2007


I would like a rule to alert for a specified amount/time AFTER a threshold
is met. Currently, the rule only alerts (like it should) once every minute
if more
than 45 HTTP <non_image> requests are made within one minute. However, I
would like for it (as long as it meets the specified flags and pcre) to fire
thereafter for N seconds and/or N alerts. The catalyst for all this is I
need to extract/roll-up the accompanying GET requests to verify fidelity and
illustrate more context (w/o reviewing the log).

Options tested/contemplated thus far (to my knowledge):

Activate/Dynamic rule - Only valid for logging. If compatible with
*alerting* I imagine I could construct an activate/pass -> dynamic/alert
combo.
Flowbits - Only valid for that session.
Suppression - Absolute **suppression.
Tag - Nonessential packets are displayed.

Any ideas? Is Snort alone capable of this without manually correlating the
solo alert to web logs? If not, any upcoming releases that will allow this?
Telling Snort to run <insert_program_here>
(pl,sh,py,etc) is another viable option but I could not locate
concrete/stable information on how to accomplish this. 3rd party/home-grown
preprocessor?

Thanks,

- Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20070411/5cb6b4f2/attachment.html>


More information about the Snort-devel mailing list