[Snort-sigs] Limiting Alert Rates? Newbie

Michael Miller michael.miller at ...1811...
Wed Aug 27 07:13:10 EDT 2003

The other possibility is to reduce the amount of time between archiving and
compressing logs. A 10:1 log compression is fairly conservative. In a test
run, 320 mb of tcpdump data we've got bzip2'd down to 28 mb.


-----Original Message-----
From: Erek Adams [mailto:erek at ...95...] 
Sent: Tuesday, August 26, 2003 3:51 PM
To: Jacob Roberts
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Limiting Alert Rates? Newbie

On Tue, 26 Aug 2003, Jacob Roberts wrote:


> Is there a way to write a rule (or something else) to only through an 
> alert after X matches?  We would set it at something like 1000 pings 
> throws an alert, rather than a separate alert for each ping.


Snort does not have any sort of thresholding ability.

Swatch can sorta do this, but you'd have to parse syslog data and then send
over a 'psudeo alert'.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

This SF.net email is sponsored by: VM Ware With VMware you can run multiple
operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same
time. Free trial click here:http://www.vmware.com/wl/offer/358/0
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list