[Snort-sigs] Can I still log every packet when thresholding the alerts?

Williams Jon WilliamsJonathan at ...2010...
Tue Nov 25 12:17:14 EST 2003


I've been working on exception alerting using snort (i.e. alerting on
traffic inside a network that isn't sourced from or destined to that
subnet, unused protocols, etc.), and its worked rather well, too well,
in fact.  There are times, such as with Blaster/Welchia/SQL Slammer,
where the rules send out 25k alerts in 5 minutes.  On the one hand,
we're using the detail to determine what's going on (i.e. distinguishing
an actual Welchia infection from the Yahoo! Messenger cruft).  On the
other hand, my boss tends to frown on receiving a pager bill for 3
million pages in a month :-)

So, I was thinking, could I use a rule that has the threshold stuff set
to generate only one alert every X minutes and then have a second rule
that just logs any packet that matches the same criteria?  I vaguely
remember some discussions a while back about having multiple rule
matches, but I don't remember if the end result was the ability to have
the same packet initiate multiple distinct actions.

Thanks.

Jon





More information about the Snort-sigs mailing list