[Snort-users] not detecting common intrusion

Cearns Angela acearns at ...131...
Thu Jun 27 11:53:02 EDT 2002


Yes, Steve:

I'd love to look into your idea, could you please
forward me the patches?

Thanks,
Ang
--- Steve Halligan <giermo at ...187...> wrote:
> >
> >You can't use a rule, since there's not a "X
> packets over Y 
> >time" logic built
> >into the rule parser.  You'd have to have some sort
> of 
> >preprocessor similar to
> >the portscan preprocessor to do that.
> >
> 
> A while back I wrote up a patch to create a new
> ruletype I called a Trigger
> rule that did exactly this.  The alert would fire if
> and only if the
> signature got matched X times in Y seconds.  Perhaps
> someone would be
> interested in re-visiting this idea?  I submitted
> two versions of the patch,
> one based on the 1.8.x codebase and one on the
> 1.9/2.0 codebase.  They are
> probably both out-of-date currently, and would need
> some tweaking to get
> them to work, which I do not currently have time to
> do.
> 
> If there is any interest in this, I would be happy
> to forward the old
> patches.  They can also found in the snort-devel
> archive.
> 
> -Steve


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




More information about the Snort-users mailing list