[Snort-users] not detecting common intrusion
giermo at ...187...
Thu Jun 27 07:12:05 EDT 2002
>You can't use a rule, since there's not a "X packets over Y
>time" logic built
>into the rule parser. You'd have to have some sort of
>preprocessor similar to
>the portscan preprocessor to do that.
A while back I wrote up a patch to create a new ruletype I called a Trigger
rule that did exactly this. The alert would fire if and only if the
signature got matched X times in Y seconds. Perhaps someone would be
interested in re-visiting this idea? I submitted two versions of the patch,
one based on the 1.8.x codebase and one on the 1.9/2.0 codebase. They are
probably both out-of-date currently, and would need some tweaking to get
them to work, which I do not currently have time to do.
If there is any interest in this, I would be happy to forward the old
patches. They can also found in the snort-devel archive.
More information about the Snort-users