[Snort-users] Alerting on >n packets?

Fraser Hugh hugh_fraser at ...2804...
Mon Oct 22 10:12:02 EDT 2001


Have a look at sec.pl (Simple Event Correlation)at
www.estpak.ee/~risto/sec/. It will do some of the basic time-based event
correlation you're talking about, as well as multiple event relationships
(ie. surpress further out-of-limit events until an in-limit event occurs).
It can be configured to read from a pipe that Snort logs to.

> -----Original Message-----
> From: Lodin, Steven {GZ-Q~Mannheim} [mailto:STEVEN.LODIN at ...2526...]
> Sent: Monday, October 22, 2001 2:23 AM
> To: 'Martin Roesch'; Joshua Thomas
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Alerting on >n packets?
> 
> 
> I would change the topic to "Alerting on >n events".
> 
> This is something I tried to do, but failed in ISS.  Either 
> the product didn't support thresholds or I couldn't find it 
> in the documentation.  The situation was the following:
> 
> N events in K time is normal behaviour
> 10N events in K time is a warning level
> 100N events in K time is an active attack requiring immediate response
> 
> To accomplish this, I fed all events to a Tivoli Distributed 
> Monitoring system using SNMP.  Tivoli did the event 
> collection and thresholding.  When it reached its trigger 
> points, then the Tivoli response system dished out the 
> appropriate emails and pages.
> 
> > 
> > That's a good feature suggestion, but it's not implemented 
> in Snort at
> > this time.  It could probably be a nice feature for a 
> post-processing
> > system if you didn't want to modify Snort's source code.
> > 
> 
> I agree that it would be a nice feature, but not in the core 
> code.  I would advocate doing in the post-processing system.
> 
> Steve Lodin
> Head of Global IT Security and Risk Management
> Roche Diagnostics GmbH
> (W) +49-621-759-5276
> (M) +49-173-348-4974
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list