[Snort-sigs] Limiting Alert Rates? Newbie

Jacob Roberts jake_roberts at ...1807...
Tue Aug 26 12:33:36 EDT 2003


Hello all,

I'm sure this has been discussed before, but being a Newbie I get to
bring it up again.

We just setup Snort to test it out on our campus network.  Its watching
a lot of traffic go by and seems to handle pretty well.

This last week we have had a huge infection of the Nachi/Welchia worm
and have been ICMP packet stormed ever since.  Snort has proved vital to
detecting these systems and getting them cleaned up,

However,

We let snort run over one weekend and we filled the system's filesystem
with logs.  Over 20 million alerts about Ping.

Is there a way to write a rule (or something else) to only through an
alert after X matches?  We would set it at something like 1000 pings
throws an alert, rather than a separate alert for each ping.

Thanks,

Jake Roberts
BYU Network Security




More information about the Snort-sigs mailing list