[Snort-sigs] Limiting Alert Rates? Newbie
Richard.Crane at ...1813...
Wed Aug 27 07:23:20 EDT 2003
On Tuesday, August 26, 2003, at 05:50 PM, Erek Adams wrote:
> On Tue, 26 Aug 2003, Jacob Roberts wrote:
>> Is there a way to write a rule (or something else) to only through an
>> alert after X matches? We would set it at something like 1000 pings
>> throws an alert, rather than a separate alert for each ping.
> Snort does not have any sort of thresholding ability.
This would be a great facility -- I have had to drastically reduce the
alerts in order to be able to process the log file on an hourly basis
Haskins Laboratories / (203) 865-6163 X 275 / FAX (203) 865-8963
More information about the Snort-sigs