Snort mailing list archives
snort 2.0.2 - Rule Thresholding
From: "Marc Norton" <marc.norton () sourcefire com>
Date: Thu, 18 Sep 2003 08:39:42 -0400
The new thresholding feature supports both rule specific thresholding and global thresholding to quiet all of the rules down. Using global thresholding requires you to use a sig_id value of -1 in the 'threshold' command instead of a specific rule sig_id . I am posting this tid bit because I don't think the global thresholding made it into the documentation. The rule specific thresholding and rule suppression is documented in the 'doc/README.thresholding' file. For quieting worms and such, use the threshold type = 'limit' , you can than specify 1 event to be logged per 10 seconds, or 3 per 60 seconds, 600 seconds, whatever you want. The document details the whole functionality. Marc Norton Senior Software Engineer - Sourcefire,Inc. 410-423-1924 marc.norton () sourcefire com
Current thread:
- snort 2.0.2 - Rule Thresholding Marc Norton (Sep 18)
- <Possible follow-ups>
- RE: snort 2.0.2 - Rule Thresholding JP Vossen (Sep 18)