[Snort-sigs] Limiting Alert Rates? Newbie
jake_roberts at ...1807...
Tue Aug 26 12:33:36 EDT 2003
I'm sure this has been discussed before, but being a Newbie I get to
bring it up again.
We just setup Snort to test it out on our campus network. Its watching
a lot of traffic go by and seems to handle pretty well.
This last week we have had a huge infection of the Nachi/Welchia worm
and have been ICMP packet stormed ever since. Snort has proved vital to
detecting these systems and getting them cleaned up,
We let snort run over one weekend and we filled the system's filesystem
with logs. Over 20 million alerts about Ping.
Is there a way to write a rule (or something else) to only through an
alert after X matches? We would set it at something like 1000 pings
throws an alert, rather than a separate alert for each ping.
BYU Network Security
More information about the Snort-sigs