Time Activated Rules

["Madhav Diwan" <mdiwan () wagweb com>]

Hi, 

I 'm stumped,
I want to get snort to make Time Activated Rules in order to look at
what happens at night versus during the business day.

I currently do this by simply restarting snort from a cron job with a
different set of rules from a NIGHTrules directory and then switching
back to the DAYrules directory in the early part of the morning.

May be I missed something  but it seems that I should be able to make
these time distinctions within a rule set rather than across a rule set.
by centering some part of the rule on the timestamp of the alert.

It seems likely that I would need to do this is a preprocessor?

Ignoring alerts of a particular type with a particular timestamp in a
sql database is cake, but how about that /var/log/? 
And how do I keep them from being created in the first place , given the
time of the event.

Any thoughts ?

Has this been done and I just missed it in the User Manual?


Please CC me , i may have been dropped by the user list due to mail
problems.

Madhav Diwan




Note: The information contained in this message may be privileged and confidential and protected from disclosure.  If 
the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication in error, please notify us immediately by 
replying to the message and deleting it from your computer.  Thank you.  Wagner Weber & Williams

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users