Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Too many events in logs

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 23 May 2002 15:05:56 -0400
Well, I can think of 2 quick ways to help handle it, but offhand I do not know of a way to purposefully make snort NOT log an alert just because the alert went off several times already.
1) try to be more narrow in your rule so you false less. ie: if you're looking for IM traffic, add a content rule that catches the start of a session, not every packet within it.
2) use syslog logging. Most current syslogd's tend to "group" a repeated alert by simply stating "the previous message was repeated N times"
Flows might also help you in accomplishing the same effects as #1, but that's not a feature of a "official" (ie numbered) release version of snort yet. From what little I understand this allows you to do "if this, then sometime later that, then alert" type setups with a couple rules chained together into a flow. 

At 11:06 AM 5/23/2002 -0700, spyguy703 () earthlink net wrote:
Sorry for asking a dumb question. But I need to log port 80/tcp traffic to a certain server. (not web traffic)
I have already created a simple rule. My problem is that there are too many alerts. 

Is there a way in snort to limit how many rule matches get logged?



_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: