[Snort-sigs] Limiting Alert Rates? Newbie

Tony Lill ajlill at ...1531...
Wed Aug 27 17:01:12 EDT 2003

>>>>> "Erek" == Erek Adams <erek at ...95...> writes:

    Erek> On Tue, 26 Aug 2003, Jacob Roberts wrote:
    Erek> [...snip...]

    >> Is there a way to write a rule (or something else) to only through an
    >> alert after X matches?  We would set it at something like 1000 pings
    >> throws an alert, rather than a separate alert for each ping.

    Erek> Nope.

Some sort of alert limiting would be nice, though. I was recently
inadvertently DOS'd by snort when it tried to log about 1000 alerts
per minute from a host that got infected with an sql worm an tried to
infect the rest of the internet.

After 32 minutes, it blew up when it could no longer create
directories for log files. Something about a limit of 32000 links on
an ext3 filesystem. Not being able to open an alert file should
probably not be a fatal error, BTW, especially if it can still log by
other means.

I've got a patch that puts these logs in a structured tree instead of
a flat directory. I'll submit it when I've run it a couple of days.
Tony Lill,                         Tony.Lill at ...1532...
President, A. J. Lill Consultants        fax/data (519) 650 3571
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2     (519) 241 2461
--------------- http://www.ajlc.waterloo.on.ca/ ----------------
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"

More information about the Snort-sigs mailing list