Throttling Snort Alert Logging

[Robert Vance Jr <rev () northwestern edu>]

Is there or has anyone devised a method to limit the logging of specific
alerts?  Essentially the chatty nature of the recent MS DCOM worm
attacks have had a tendency of populating Snort databases with a hundred
thousand alerts per infected host when a hundred or a single one would
do the trick.  I should also mention that I am using Snort to police
hosts on my local network as opposed to detecting attacks from the
Internet.

My scenerio is as follows.   I have a number of Snort sensors gathering
data from different routing sites on my network.  Each site has the
potential to see a GB of traffic.  These sensors report their findings 
to a central DB server.  I would like a means to throttle the logging
activity of the sensors so that only a fixed number of alerts specific
to any one misbehaving host will be sent to the central DB.

Thoughts?

Robert


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users