[Snort-sigs] Limiting Alert Rates? Newbie
erek at ...95...
Tue Aug 26 14:52:04 EDT 2003
On Tue, 26 Aug 2003, Jacob Roberts wrote:
> Is there a way to write a rule (or something else) to only through an
> alert after X matches? We would set it at something like 1000 pings
> throws an alert, rather than a separate alert for each ping.
Snort does not have any sort of thresholding ability.
Swatch can sorta do this, but you'd have to parse syslog data and then
send over a 'psudeo alert'.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-sigs