[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] Can I still log every packet when thresholding the alerts?
From:       "Williams Jon" <WilliamsJonathan () JohnDeere ! com>
Date:       2003-11-25 20:13:17
[Download RAW message or body]

I've been working on exception alerting using snort (i.e. alerting on
traffic inside a network that isn't sourced from or destined to that
subnet, unused protocols, etc.), and its worked rather well, too well,
in fact.  There are times, such as with Blaster/Welchia/SQL Slammer,
where the rules send out 25k alerts in 5 minutes.  On the one hand,
we're using the detail to determine what's going on (i.e. distinguishing
an actual Welchia infection from the Yahoo! Messenger cruft).  On the
other hand, my boss tends to frown on receiving a pager bill for 3
million pages in a month :-)

So, I was thinking, could I use a rule that has the threshold stuff set
to generate only one alert every X minutes and then have a second rule
that just logs any packet that matches the same criteria?  I vaguely
remember some discussions a while back about having multiple rule
matches, but I don't remember if the end result was the ability to have
the same packet initiate multiple distinct actions.

Thanks.

Jon



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[prev in list] [next in list] [prev in thread] [next in thread]