Hosting Provided By

[Snort-sigs] general sig question

From: d_greenjr <d_greenjr(at)hotmail.com>
Date: Thu May 22 2003 - 02:03:17 EDT

Is there a way to have a rule alert-and/or log-only after the rule has been detected n amount of times from a specific source?

For example, how can I edit the following rule to only alerts after the sensor detects this signature 20 times from a single node that is !$HOME_NET? alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session"; flow:to_server,established; content: "|00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 38 00 31|"; reference:bugtraq,1163; reference:cve,CVE-2000-0347; reference:arachnids,204; classtype:attempted-recon; sid:530; rev:7;)

This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Thu May 22 03:08:38 2003

This message: [ Message body ]
Next message: security people: "Re: [Snort-sigs] Not looking in Email"
Previous message: Dale L. Handy: "Re: [Snort-sigs] Not looking in Email"
Next in thread: Brian: "Re: [Snort-sigs] general sig question"
Reply: Brian: "Re: [Snort-sigs] general sig question"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:29 EDT