[Snort-users] Snort Log Method

Erek Adams erek at ...577...
Thu Aug 29 07:48:01 EDT 2002


On Thu, 29 Aug 2002, Pedro Tedeschi wrote:

> If is possible to snort log just one unique event per IP?

No.

> Like this
>
> The IP 1.1.1.1 have attacked 345 times on same signature "WEB-IIS cmd.exe access"
> But i want to log just one time this attack and discard the others attacks from this signature.
>
> Can i do this?

Snort logs each and every event as a induvidual alert.  They are _different_
each time it goes off.  Even if you do get 500 CRII attacks, each packet is
different.  Therefore, each time it happens, it will generate an alert.

Now, what you _can_ do is use a log tool.  There is a tool called
snort_stat.pl that will read a logfile, and condense it.  You could then have
it emailed to you.  It gives a breakdown of events and the number of times it
occoured, among others.  IIRC, there is a version in the contrib dir in the
tarball.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list