[Snort-users] activate dynamic

Slighter, Tim tslighter at ...5174...
Tue Jul 22 10:05:09 EDT 2003


I see that you understand the goal here.  Ultimately it would be a highly
useful feature in snort.  thanks

-----Original Message-----
From: Erek Adams [mailto:erek at ...950...]
Sent: Tuesday, July 22, 2003 7:55 AM
To: Slighter, Tim
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] activate dynamic


On Tue, 22 Jul 2003, Slighter, Tim wrote:

> yes precisely.  or the other way around too...where the number of times a
> rule is fired is counted and then to STOP alerting when it reaches a
certain
> threshold

Nope.  No thresholding of any type.

Now, there is a possible workaround...

Use swatch and it's 'throttle' option.  That will perform almost as you
want.  Then once that threshold is done, have swatch cause a very specific
alert that actually generates the data you want.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list