Snort mailing list archives
Threshold vs. Limit
From: Lyndon Tiu <ltiu () alumni sfu ca>
Date: Thu, 26 Aug 2004 12:52:26 -0700
Hello, I have these two lines in /etc/snort/threshold.conf threshold gen_id 0, sig_id 0, type threshold, track by_src, count 10, seconds 60 threshold gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60 My intention is to only log one unique alert from a unique source every 60 seconds(to prevent DDOS). BUT, I also want to log if 10 alerts are recieved from a unqiue source in a 60 second period (to detect DDOS attempts). I wonder if my config above is correct or am I missing something? Thank you. -- Lyndon Tiu ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Threshold vs. Limit Lyndon Tiu (Aug 26)
- Re: Threshold vs. Limit Nerijus Krukauskas (Aug 26)