[Snort-users] Too many events in logs
mkettler at ...4108...
Thu May 23 12:11:18 EDT 2002
Well, I can think of 2 quick ways to help handle it, but offhand I do not
know of a way to purposefully make snort NOT log an alert just because the
alert went off several times already.
1) try to be more narrow in your rule so you false less. ie: if you're
looking for IM traffic, add a content rule that catches the start of a
session, not every packet within it.
2) use syslog logging. Most current syslogd's tend to "group" a repeated
alert by simply stating "the previous message was repeated N times"
Flows might also help you in accomplishing the same effects as #1, but
that's not a feature of a "official" (ie numbered) release version of snort
yet. From what little I understand this allows you to do "if this, then
sometime later that, then alert" type setups with a couple rules chained
together into a flow.
At 11:06 AM 5/23/2002 -0700, spyguy703 at ...741... wrote:
>Sorry for asking a dumb question. But I need to log port 80/tcp traffic to
>a certain server. (not web traffic)
>I have already created a simple rule. My problem is that there are too
>Is there a way in snort to limit how many rule matches get logged?
More information about the Snort-users