[Snort-sigs] Limiting Alert Rates? Newbie

Erek Adams erek at ...95...
Tue Aug 26 14:52:04 EDT 2003


On Tue, 26 Aug 2003, Jacob Roberts wrote:

[...snip...]

> Is there a way to write a rule (or something else) to only through an
> alert after X matches?  We would set it at something like 1000 pings
> throws an alert, rather than a separate alert for each ping.

Nope.

Snort does not have any sort of thresholding ability.

Swatch can sorta do this, but you'd have to parse syslog data and then
send over a 'psudeo alert'.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-sigs mailing list