Snort mailing list archives
global threshold quesiton
From: David Wilburn <bug () gecko roadtoad net>
Date: Mon, 29 Mar 2004 04:44:44 -0800
Quick question regarding global thresholds. Consider the following: threshold gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60 Does this specify that each given host can only trigger one alert per minute, or that each given host can only trigger one alert per rule per minute? If it is the former, how can I achieve the latter instead? I am trying to avoid a situation in which a worm, autorooter, or rapid-working human attacker were able to use scan or chaff traffic to prevent the logging of more important attack rules. -Dave Wilburn ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- global threshold quesiton David Wilburn (Mar 29)
- <Possible follow-ups>
- Re: global threshold quesiton Charles Lacroix (Mar 29)