Snort mailing list archives
Re: Feature request: thresholds need another counter?
From: Michael Boman <michael () ayeka dyndns org>
Date: Wed, 17 Mar 2004 13:06:51 +0800
On Wed, 2004-03-17 at 12:09, Paul Schmehl wrote:
----- Original Message ----- From: "Jason Haar" <Jason.Haar () trimble co nz> To: <snort-users () lists sourceforge net> Sent: Tuesday, March 16, 2004 9:45 PM Subject: [Snort-users] Feature request: thresholds need another counter?I am in a dilemma. I want to move to thresholds so as to save my SQL databases from collapse, and yet at the same time I don't like loosing the details - such as what looks like 10 SLAMMER alerts @ 1 per minute was actually 10,000,000 alerts - but threshold reduced it down.I guess my question would be, why should you care? Case in point. My rule for Nachi thresholds at, IIRC, 1000 alerts in a 60 second period. If I'm getting that many alerts, I *know* it's Nachi. I no longer have to wonder if it's something else. Once I *know* that, why do I care if this particular instance sets off 250,000 alerts/hour whereas another infection sets of 125,000/hour? The fact is, the alert has done its job, and I don't really need to know the precise numbers. There may be cases where this is not true, however, so I think there's some merit to your suggestion. I'm just not sure how much. :-)
It's all about numbers when you try to grab more money or justify the money you already spent. Being able to draw nice graphs for the reports is one of the requirements in this process. If you don't have the numbers it's quite hard to draw the graphs.. Especially when your thresholds says it was _at least_ X alerts in Y time frame... Just my .02$ -- Michael Boman
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Feature request: thresholds need another counter? Jason Haar (Mar 16)
- Re: Feature request: thresholds need another counter? Paul Schmehl (Mar 16)
- Re: Feature request: thresholds need another counter? Jason (Mar 17)
- Re: Feature request: thresholds need another counter? Frank Knobbe (Mar 18)
- Re: Feature request: thresholds need another counter? Paul Schmehl (Mar 19)
- Re: Feature request: thresholds need another counter? Jason Haar (Mar 20)
- Re: Feature request: thresholds need another counter? Jason (Mar 17)
- Re: Feature request: thresholds need another counter? Paul Schmehl (Mar 16)
- Re: Feature request: thresholds need another counter? Michael Boman (Mar 19)