Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Feature request: thresholds need another counter?

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 17 Mar 2004 16:45:58 +1300
Hi there

I am in a dilemma. I want to move to thresholds so as to save my SQL
databases from collapse, and yet at the same time I don't like loosing the
details - such as what looks like  10 SLAMMER alerts @ 1 per minute was
actually 10,000,000 alerts - but threshold reduced it down.

What about a threshold code change (and schema change I suppose) so that it
reports an extra field - the number of times the alert occurred in the
threshold period.

i.e. 

SLAMMER alert triggered - 30,000 times in threshold period
SLAMMER alert triggered - 10,000 times in threshold period
SLAMMER alert triggered - 70,000 times in threshold period


Three records - but you know that was actually 110,000 alerts.

Obviously stuff like ACID would need to be changed to work with such a
change, but it seems to me you'd get the best of both worlds...?

Just a thought...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: