[Snort-users] Throttling Snort Alert Logging

Robert Vance Jr rev at ...10091...
Wed Sep 17 08:29:08 EDT 2003


Is there or has anyone devised a method to limit the logging of specific
alerts?  Essentially the chatty nature of the recent MS DCOM worm
attacks have had a tendency of populating Snort databases with a hundred
thousand alerts per infected host when a hundred or a single one would
do the trick.  I should also mention that I am using Snort to police
hosts on my local network as opposed to detecting attacks from the
Internet.

My scenerio is as follows.   I have a number of Snort sensors gathering
data from different routing sites on my network.  Each site has the
potential to see a GB of traffic.  These sensors report their findings 
to a central DB server.  I would like a means to throttle the logging
activity of the sensors so that only a fixed number of alerts specific
to any one misbehaving host will be sent to the central DB.

Thoughts?

Robert




More information about the Snort-users mailing list