[Snort-users] not detecting common intrusion

Steve Halligan giermo at ...187...
Thu Jun 27 07:12:05 EDT 2002

>You can't use a rule, since there's not a "X packets over Y 
>time" logic built
>into the rule parser.  You'd have to have some sort of 
>preprocessor similar to
>the portscan preprocessor to do that.

A while back I wrote up a patch to create a new ruletype I called a Trigger
rule that did exactly this.  The alert would fire if and only if the
signature got matched X times in Y seconds.  Perhaps someone would be
interested in re-visiting this idea?  I submitted two versions of the patch,
one based on the 1.8.x codebase and one on the 1.9/2.0 codebase.  They are
probably both out-of-date currently, and would need some tweaking to get
them to work, which I do not currently have time to do.

If there is any interest in this, I would be happy to forward the old
patches.  They can also found in the snort-devel archive.


More information about the Snort-users mailing list