Snort mailing list archives
Throttling Snort Alert Logging
From: Robert Vance Jr <rev () northwestern edu>
Date: Wed, 17 Sep 2003 10:29:17 -0500
Is there or has anyone devised a method to limit the logging of specific alerts? Essentially the chatty nature of the recent MS DCOM worm attacks have had a tendency of populating Snort databases with a hundred thousand alerts per infected host when a hundred or a single one would do the trick. I should also mention that I am using Snort to police hosts on my local network as opposed to detecting attacks from the Internet. My scenerio is as follows. I have a number of Snort sensors gathering data from different routing sites on my network. Each site has the potential to see a GB of traffic. These sensors report their findings to a central DB server. I would like a means to throttle the logging activity of the sensors so that only a fixed number of alerts specific to any one misbehaving host will be sent to the central DB. Thoughts? Robert ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Throttling Snort Alert Logging Robert Vance Jr (Sep 17)