[Snort-users] Too many events in logs

Matt Kettler mkettler at ...4108...
Thu May 23 12:11:18 EDT 2002

Well, I can think of 2 quick ways to help handle it, but offhand I do not 
know of a way to purposefully make snort NOT log an alert just because the 
alert went off several times already.

1) try to be more narrow in your rule so you false less. ie: if you're 
looking for IM traffic, add a content rule that catches the start of a 
session, not every packet within it.

2) use syslog logging. Most current syslogd's tend to "group" a repeated 
alert by simply stating "the previous message was repeated N times"

Flows might also help you in accomplishing the same effects as #1, but 
that's not a feature of a "official" (ie numbered) release version of snort 
yet. From what little I understand this allows you to do "if this, then 
sometime later that, then alert" type setups with a couple rules chained 
together into a flow.

At 11:06 AM 5/23/2002 -0700, spyguy703 at ...741... wrote:
>Sorry for asking a dumb question. But I need to log port 80/tcp traffic to 
>a certain server. (not web traffic)
>I have already created a simple rule. My problem is that there are too 
>many alerts.
>Is there a way in snort to limit how many rule matches get logged?

More information about the Snort-users mailing list