[Snort-sigs] Limiting Alert Rates? Newbie

Michael Miller michael.miller at ...1811...
Wed Aug 27 07:13:10 EDT 2003


The other possibility is to reduce the amount of time between archiving and
compressing logs. A 10:1 log compression is fairly conservative. In a test
run, 320 mb of tcpdump data we've got bzip2'd down to 28 mb.

 

-----Original Message-----
From: Erek Adams [mailto:erek at ...95...] 
Sent: Tuesday, August 26, 2003 3:51 PM
To: Jacob Roberts
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Limiting Alert Rates? Newbie

On Tue, 26 Aug 2003, Jacob Roberts wrote:

[...snip...]

> Is there a way to write a rule (or something else) to only through an 
> alert after X matches?  We would set it at something like 1000 pings 
> throws an alert, rather than a separate alert for each ping.

Nope.

Snort does not have any sort of thresholding ability.

Swatch can sorta do this, but you'd have to parse syslog data and then send
over a 'psudeo alert'.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware With VMware you can run multiple
operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same
time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list