[Snort-users] Alerting on >n packets?

Martin Roesch roesch at ...1935...
Sun Oct 21 20:46:27 EDT 2001


That's a good feature suggestion, but it's not implemented in Snort at
this time.  It could probably be a nice feature for a post-processing
system if you didn't want to modify Snort's source code.

     -Marty

Joshua Thomas wrote:
> 
> Hello all. This is my first post to this list.
> I'm using snort at the University of Connecticut, where it may eventually be
> used university-wide to watch for attacks.
> 
> We trigger lots of false postitives, espcially on the rules the don't check
> packet contents. My question is, can I write rules that will trigger after
> "n" number of packets that trigger another alert? For example, we have an
> FTP server which triggers almost all of the arachNIDS trojan rules, daily.
> However it only triggers each rule once or twice. Can I have it not generate
> an alert until 10, 50, or 100 of those packets are seen?
> 
> Thanks in advance,
> 
> Joshua F. Thomas
> Research Assistant | Fiber Optics Manufacturing
> Programmer | University Information Technology Services
> University of Connecticut
> Lab: 860-486-0624
> thomasj at ...3870...
> http://www.engr.uconn.edu/ofmrl/
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list