Snort mailing list archives
RE: suggestion?
From: Steve Halligan <giermo () geeksquad com>
Date: Wed, 15 Jan 2003 10:35:18 -0600
Is it possible to build into the code or the conf/rules
files
an option that would instruct snort to stop logging for
this alert
based upon the source address and after "x" number of
similar
alerts for "x" amount of time?
This exists in the code (1.9 and 2.0 IIRC). It is an undocumented Rule option called "threshold". It is undocumented for a very good reason: It is very very broken. Not sure where it is on the list of things-to-do. -steve ------------------------------------------------------- This SF.NET email is sponsored by: Take your first step towards giving your online business a competitive advantage. Test-drive a Thawte SSL certificate - our easy online guide will show you how. Click here to get started: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- suggestion? Slighter, Tim (Jan 15)
- <Possible follow-ups>
- RE: suggestion? Steve Halligan (Jan 15)