[Snort-users] Snort alerts

Siddhartha Jain s_i_d_j at ...131...
Mon Mar 26 18:34:24 EST 2001


Hi,

I run snort this way :-
./snort -D -de -C -i hme1 -l ../log -c ../conf/snort.conf

This produces alerts by truck-loads but i think i need to capture packets so
i can see the content. Is there a way to configure alerts so that snort
writes a single alert for attack signature from a particular IP to a
particular IP? That would mean that if x.x.x.x sends 2000 packets to y.y.y.y
containing an attack signature, snort would write only a single line in some
file for the first packet containing the signature and the rest of them will
be ignored or logged somewhere else. This way i can read the shorter file
and generate paging messages from it. Right now, with the number of alerts
generated it seems impossible to do send pages or mails to do (almost)
realtime alerting.

Siddhartha




_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list