[Snort-users] ICQ rules

Grotenhuis, Eric Eric.Grotenhuis at ...963...
Mon Nov 26 05:55:03 EST 2001


Has anyone looked into rewriting the ICQ rule in the present ruleset?  Every
time you open a new ICQ message or receive one, it can kick off up to 10
alerts.  Get a dozen chatty users and you have a LOT of alerts quick.

I'm a rule writing rookie, but maybe we can change the way this works.
Maybe we can create a new rule that only logs the initial auth to ICQ's
servers instead of every time it pulls down a banner?

Just a thought.



Eric Grotenhuis
Network Analyst
Safelite Glass Corp
614.798.2508
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011126/cf021a45/attachment.html>


More information about the Snort-users mailing list