[Snort-users] Can I still log every packet when thresholding the alerts?

Jason Haar Jason.Haar at ...294...
Tue Nov 25 13:21:09 EST 2003


On Wed, 2003-11-26 at 09:13, Williams Jon wrote:
> So, I was thinking, could I use a rule that has the threshold stuff set
> to generate only one alert every X minutes and then have a second rule
> that just logs any packet that matches the same criteria?  I vaguely

I think you may be trying too hard to make the snort thresholding do
something that's not its job.

What wrong with not using thresholding in snort, but instead to rely on
your alerting/paging interface to do thresholding?

That's what we do here. Snort logs to syslog and mysql, and swatch
watches the syslog file, and sends pages/etc when it sees interesting
stuff - but uses it's threshold option to limit how many (e.g. 1 every
ten minutes).

Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1






More information about the Snort-users mailing list