Snort mailing list archives
Re: Feature request: thresholds need another counter?
From: "Jason" <snort-users () tcpipbitch net>
Date: Wed, 17 Mar 2004 08:20:17 -0500 (EST)
I disagree, yes, from a technical standpoint, we (as in my place of employment) only care about the fact the machine is infected, or not, and if you get 1000 hits a min, thats a good indication, however there are those we report to, who want numbers, and statistics, losing those is just as bad from a management standpoint, even more so where I work as they are very much into numbers... Now ideally, if someone came up with a nice realtime console, then not having to worry about thresholding, and have a console that consolidates the alerts (for example show the alert,then drilldown into the alert to get the source count, and then drilling down on the source would show all the source -> detination relationships would be even better, disk space is not an issue for me, db performance is, but I have managed to get around that a little bit, the issue is the multitude of alerts we get, and how to get rid of the fluff.
I guess my question would be, why should you care? Case in point. My rule for Nachi thresholds at, IIRC, 1000 alerts in a 60 second period. If I'm getting that many alerts, I *know* it's Nachi. I no longer have to wonder if it's something else. Once I *know* that, why do I care if this particular instance sets off 250,000 alerts/hour whereas another infection sets of 125,000/hour? The fact is, the alert has done its job, and I don't really need to know the precise numbers. There may be cases where this is not true, however, so I think there's some merit to your suggestion. I'm just not sure how much. :-) Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Feature request: thresholds need another counter? Jason Haar (Mar 16)
- Re: Feature request: thresholds need another counter? Paul Schmehl (Mar 16)
- Re: Feature request: thresholds need another counter? Jason (Mar 17)
- Re: Feature request: thresholds need another counter? Frank Knobbe (Mar 18)
- Re: Feature request: thresholds need another counter? Paul Schmehl (Mar 19)
- Re: Feature request: thresholds need another counter? Jason Haar (Mar 20)
- Re: Feature request: thresholds need another counter? Jason (Mar 17)
- Re: Feature request: thresholds need another counter? Paul Schmehl (Mar 16)
- Re: Feature request: thresholds need another counter? Michael Boman (Mar 19)