Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Threshold vs. Limit

From: Lyndon Tiu <ltiu () alumni sfu ca>
Date: Thu, 26 Aug 2004 12:52:26 -0700
Hello,



I have these two lines in /etc/snort/threshold.conf



threshold gen_id 0, sig_id 0, type threshold, track by_src, count 10, seconds 60

threshold gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60



My intention is to only log one unique alert from a unique source every 60 seconds(to prevent DDOS). BUT, I also want 
to log if 10 alerts are recieved from a unqiue source in a 60 second period (to detect DDOS attempts).



I wonder if my config above is correct or am I missing something?



Thank you.



--

Lyndon Tiu


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: