[Snort-sigs] Signatures

Nelson, James (CC-MIS Plans and Prog) James.Nelson at ...74...
Thu Mar 21 13:01:58 EST 2002


This is just an observation and it is for the entire group. I said something
earlier and nobody gave me any feedback.  

Why not build rules activate logging but only alert once on a given session?

The other thought I have is why not build rules that look for certain
patterns in the RESPONSE that indicate the attempt was successful or that it
failed?  What good are alerts without being able to establish some priority
to them based on the system's reaction?

+ $0.02

James Nelson




More information about the Snort-sigs mailing list