Snort mailing list archives
Re: Enormous amount of alerts
From: "Al Lewis \(allewi\) via Snort-devel" <snort-devel () lists snort org>
Date: Thu, 4 Jul 2019 14:07:54 +0000
Sounds like you want a threshold on the amount of alerts you receive within a given time (or count) of an event. Check the documentation in the download for snort3 For snort2 you can check here: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node35.html Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Christian Leclerc <christian.leclerc () sphere3solutions com> Date: Thursday, July 4, 2019 at 9:47 AM To: "snort-devel () lists snort org" <snort-devel () lists snort org> Subject: [Snort-devel] Enormous amount of alerts Hello guy's ! I have created a plugin in snort3 and it's very interesting how much data I can get for it. The problem is that if for example, I start a torrent, it logs on every packet. The same alert is triggered for the same ip and the same source so many times. Example: 2019-07-03 22:16:36 3 localhost 17.174.1.5:443<http://17.174.1.5:443> (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443<http://17.174.1.5:443> localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443<http://17.174.1.5:443> localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443<http://17.174.1.5:443> (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443<http://17.174.1.5:443> (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443<http://17.174.1.5:443> localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443<http://17.174.1.5:443> (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443<http://17.174.1.5:443> localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443<http://17.174.1.5:443> localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443<http://17.174.1.5:443> (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443<http://17.174.1.5:443> (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443<http://17.174.1.5:443> localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443<http://17.174.1.5:443> (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443<http://17.174.1.5:443> localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 17.174.1.5:443<http://17.174.1.5:443> localhost (tcp) experimental TCP options found 2019-07-03 22:16:36 3 localhost 17.174.1.5:443<http://17.174.1.5:443> (tcp) experimental TCP options found Is someone know how to adjust the trigger in the configuration to alert only once if it's the same alerts for every other packets after ? cheers, Christian L.
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Enormous amount of alerts Christian Leclerc (Jul 04)
- Re: Enormous amount of alerts Al Lewis (allewi) via Snort-devel (Jul 04)