[Snort-users] Another Snort Rules Question

Erik Fichtner emf at ...367...
Wed Sep 8 17:37:15 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Sep 08, 2004 at 01:11:45PM -0700, Scott Elgram wrote:
> Erik,
>     Thankyou for that, I looked into and it may just be what I need,
> however......is there a way i can set so it logs like normal, with the
> queue, but stops if a particular rule is found true?

MMmmmmm.... not off the top of my head..   I know it will order the
alerts by priority, but it's not a cumulative thing, but with a 
relatively minor modification to the source, you could set it up so that
each priority event had a weight to it; e.g:
	priority 1 events weigh 100 points
	priority 2 events weigh 50 points
	priority 3 events weigh 25 points
	...and so on, 
and then, this proposed modification could then be set so that it only
will log "125 points" worth of events.    Then, you could theoretically
change the priorities on your rules so that it worked the way you wanted.

...it's just a thought, and I don't know if it's even a very good one..
I can't actually see much use for having a half-functional event_queue..
Personally, I would want either the one best-match rule 
(e.g: "config event_queue: log 1 order_events content_length") 
or use some external correlator that isn't bothered too deeply by having
multiple events fire.    Again, that's may just be my own personal bias.


- -- 
Erik Fichtner
Principal Engineer, Information Security, ServerVault Corp.
703-652-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD4DBQFBP6V2Q7EzrewLMS0RAsKoAJY3T3qQkQo72Zpnha7M+dn9QVJIAKCi9DBQ
9RB/0YEVtrZqgIviPdmcfg==
=1LXJ
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list