Snort mailing list archives
Re: Can I still log every packet when thresholding the alerts?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 26 Nov 2003 10:20:37 +1300
On Wed, 2003-11-26 at 09:13, Williams Jon wrote:
So, I was thinking, could I use a rule that has the threshold stuff set to generate only one alert every X minutes and then have a second rule that just logs any packet that matches the same criteria? I vaguely
I think you may be trying too hard to make the snort thresholding do something that's not its job. What wrong with not using thresholding in snort, but instead to rely on your alerting/paging interface to do thresholding? That's what we do here. Snort logs to syslog and mysql, and swatch watches the syslog file, and sends pages/etc when it sees interesting stuff - but uses it's threshold option to limit how many (e.g. 1 every ten minutes). Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can I still log every packet when thresholding the alerts? Williams Jon (Nov 25)
- Re: Can I still log every packet when thresholding the alerts? Jason Haar (Nov 25)