[Snort-users] q about alerts

Weber Mail Don at ...5881...
Thu May 30 18:03:05 EDT 2002


I want to be alerted when a specific event occurs, the rule i have made
triggers the alert correctly, however, it continues to alert like 4 or 5
times per second, my purpose is alerting upon a telnet connection to machine
x by machines, x,y and z then tcpdump
looks something like this

var telclients [192.168.1.3/32,111.222.111.222/32,1.2.2.4/32]
var telserver [192.168.1.1/24]
alert tcp $telclients any -> $telservers any (msg:"Telnet session in
progress";)
output log_tcpdump: telnets.log

I'd prefer an alert upon the initial connection, and an alert on any new
connection, but i currently get like 5 alerts per second, on just 1
connection.

any ideas

Don





More information about the Snort-users mailing list