[Snort-users] ICQ rules
Eric.Grotenhuis at ...963...
Mon Nov 26 05:55:03 EST 2001
Has anyone looked into rewriting the ICQ rule in the present ruleset? Every
time you open a new ICQ message or receive one, it can kick off up to 10
alerts. Get a dozen chatty users and you have a LOT of alerts quick.
I'm a rule writing rookie, but maybe we can change the way this works.
Maybe we can create a new rule that only logs the initial auth to ICQ's
servers instead of every time it pulls down a banner?
Just a thought.
Safelite Glass Corp
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users