Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Feature request: thresholds need another counter?

From: "Jason" <snort-users () tcpipbitch net>
Date: Wed, 17 Mar 2004 08:20:17 -0500 (EST)
I disagree, yes, from a technical standpoint, we (as in my place of
employment) only care about the fact the machine is infected, or not, and
if you get 1000 hits a min, thats a good indication, however there are
those we report to, who want numbers, and statistics, losing those is just
as bad from a management standpoint, even more so where I work as they are
very much into numbers...

Now ideally, if someone came up with a nice realtime console, then not
having to worry about thresholding, and have a console that consolidates
the alerts (for example show the alert,then drilldown into the alert to
get the source count, and then drilling down on the source would show all
the source -> detination relationships would be even better, disk space is
not an issue for me, db performance is, but I have managed to get around
that a little bit, the issue is the multitude of alerts we get, and how to
get rid of the fluff.



I guess my question would be, why should you care?  Case in point.  My
rule
for Nachi thresholds at, IIRC, 1000 alerts in a 60 second period.  If I'm
getting that many alerts, I *know* it's Nachi.  I no longer have to wonder
if it's something else.  Once I *know* that, why do I care if this
particular instance sets off 250,000 alerts/hour whereas another infection
sets of 125,000/hour?  The fact is, the alert has done its job, and I
don't
really need to know the precise numbers.

There may be cases where this is not true, however, so I think there's
some
merit to your suggestion.  I'm just not sure how much.
:-)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: