[Snort-sigs] Limiting Alert Rates? Newbie

Richard Crane Richard.Crane at ...1813...
Wed Aug 27 07:23:20 EDT 2003


On Tuesday, August 26, 2003, at 05:50  PM, Erek Adams wrote:

> On Tue, 26 Aug 2003, Jacob Roberts wrote:
>
> [...snip...]
>
>> Is there a way to write a rule (or something else) to only through an
>> alert after X matches?  We would set it at something like 1000 pings
>> throws an alert, rather than a separate alert for each ping.
>
> Nope.
>
> Snort does not have any sort of thresholding ability.
>

This would be a great facility -- I have had to drastically reduce the 
alerts in order to be able to process the log file on an hourly basis 
with snortsnarf.

Richard Crane
-------
Haskins Laboratories / (203) 865-6163 X 275 /  FAX (203) 865-8963





More information about the Snort-sigs mailing list