[Snort-users] Alerting on >n packets?

Lodin, Steven {GZ-Q~Mannheim} STEVEN.LODIN at ...2526...
Mon Oct 22 05:24:06 EDT 2001

I would change the topic to "Alerting on >n events".

This is something I tried to do, but failed in ISS.  Either the product didn't support thresholds or I couldn't find it in the documentation.  The situation was the following:

N events in K time is normal behaviour
10N events in K time is a warning level
100N events in K time is an active attack requiring immediate response

To accomplish this, I fed all events to a Tivoli Distributed Monitoring system using SNMP.  Tivoli did the event collection and thresholding.  When it reached its trigger points, then the Tivoli response system dished out the appropriate emails and pages.

> That's a good feature suggestion, but it's not implemented in Snort at
> this time.  It could probably be a nice feature for a post-processing
> system if you didn't want to modify Snort's source code.

I agree that it would be a nice feature, but not in the core code.  I would advocate doing in the post-processing system.

Steve Lodin
Head of Global IT Security and Risk Management
Roche Diagnostics GmbH
(W) +49-621-759-5276
(M) +49-173-348-4974

More information about the Snort-users mailing list