[Snort-users] not detecting common intrusion
acearns at ...131...
Thu Jun 27 13:09:04 EDT 2002
Just curious, what were the results of your work? Do
you have any data/alerts?
--- Steve Halligan <giermo at ...187...> wrote:
> >You can't use a rule, since there's not a "X
> packets over Y
> >time" logic built
> >into the rule parser. You'd have to have some sort
> >preprocessor similar to
> >the portscan preprocessor to do that.
> A while back I wrote up a patch to create a new
> ruletype I called a Trigger
> rule that did exactly this. The alert would fire if
> and only if the
> signature got matched X times in Y seconds. Perhaps
> someone would be
> interested in re-visiting this idea? I submitted
> two versions of the patch,
> one based on the 1.8.x codebase and one on the
> 1.9/2.0 codebase. They are
> probably both out-of-date currently, and would need
> some tweaking to get
> them to work, which I do not currently have time to
> If there is any interest in this, I would be happy
> to forward the old
> patches. They can also found in the snort-devel
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
More information about the Snort-users