[Snort-sigs] general sig question

d_greenjr d_greenjr at ...12...
Wed May 21 23:02:05 EDT 2003


Is there a way to have a rule alert-and/or log-only after the rule has been detected n amount of times from a specific source?

For example, how can I edit the following rule to only alerts after the sensor detects this signature 20 times from a single node that is !$HOME_NET?
 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session"; flow:to_server,established; content: "|00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 38 00 31|"; reference:bugtraq,1163; reference:cve,CVE-2000-0347; reference:arachnids,204; classtype:attempted-recon; sid:530; rev:7;) 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030521/1cf41be2/attachment.html>


More information about the Snort-sigs mailing list