Re: [Snort-sigs] Limiting Alert Rates? Newbie

From: Erek Adams <erek(at)snort.org>
Date: Tue Aug 26 2003 - 17:50:59 EDT

On Tue, 26 Aug 2003, Jacob Roberts wrote:

[...snip...]

> Is there a way to write a rule (or something else) to only through an

Nope.

Snort does not have any sort of thresholding ability.

Swatch can sorta do this, but you'd have to parse syslog data and then send over a 'psudeo alert'.

Cheers!

Erek Adams

Do you need help?

"When things get weird, the weird turn pro." H.S. Thompson

This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue Aug 26 18:14:20 2003

This message: [ Message body ]
Next message: Williams, Colby E.: "[Snort-sigs] Classification.config"
In reply to Jacob Roberts: "[Snort-sigs] Limiting Alert Rates? Newbie"
Next in thread: Richard Crane: "Re: [Snort-sigs] Limiting Alert Rates? Newbie"
Reply: Richard Crane: "Re: [Snort-sigs] Limiting Alert Rates? Newbie"
Reply: Tony Lill: "Re: [Snort-sigs] Limiting Alert Rates? Newbie"
Reply: Michael Miller: "RE: [Snort-sigs] Limiting Alert Rates? Newbie"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:34 EDT