[Snort-users] Alerting on >n packets?

Joshua Thomas thomasj at ...3870...
Fri Oct 19 09:31:10 EDT 2001


Hello all. This is my first post to this list.
I'm using snort at the University of Connecticut, where it may eventually be
used university-wide to watch for attacks.

We trigger lots of false postitives, espcially on the rules the don't check
packet contents. My question is, can I write rules that will trigger after
"n" number of packets that trigger another alert? For example, we have an
FTP server which triggers almost all of the arachNIDS trojan rules, daily.
However it only triggers each rule once or twice. Can I have it not generate
an alert until 10, 50, or 100 of those packets are seen?

Thanks in advance,

Joshua F. Thomas
Research Assistant | Fiber Optics Manufacturing
Programmer | University Information Technology Services
University of Connecticut
Lab: 860-486-0624
thomasj at ...3870...
http://www.engr.uconn.edu/ofmrl/






More information about the Snort-users mailing list