[Snort-users] Time Based IDS Rules

adam.w.hogan adam.w.hogan at ...9362...
Tue Nov 18 05:06:02 EST 2003


I think you would still want all those alerts.  If there are a lot of false positives then I think you need an analysis tool that will ignore or filter out alerts from a certain time of day.  That way you'll still have the information if you want to check it out, but can keep it flexible enough to analyze it easily and quickly.

-Adam.

-----Original Message-----
From: Josh Berry [mailto:josh.berry at ...10221...]
Sent: Monday, November 17, 2003 4:19 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Time Based IDS Rules


Has there ever been any discussion/development done on potentially adding
time options to IDS signatures?

Like the time module for IPTables, where you can specify days that the
rule will be active and the time of day?

This would be useful for instances where there are high degrees of false
positives at certain times of the day, but should not be any activity at
others.  In my company, we do a lot of development that triggers several
of the WEB-XXX rules during the day, but the kind of traffic I would never
expect to see at night.


-------------------------------------------------------
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

****************************************************************************************

Note: The information contained in this message may be privileged and confidential and thus protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

****************************************************************************************




More information about the Snort-users mailing list