Snort mailing list archives

snort 2.0.2 - Rule Thresholding

From: "Marc Norton" <marc.norton () sourcefire com>
Date: Thu, 18 Sep 2003 08:39:42 -0400

The new thresholding feature  supports both rule specific thresholding
and global thresholding to quiet all of the rules down.  Using global
thresholding requires you to use a sig_id value of -1 in the 'threshold'
command instead of a specific rule sig_id .  I am posting this tid bit
because I don't think the global thresholding made it into the
documentation.  The rule specific thresholding and rule suppression is
documented in the 'doc/README.thresholding' file.  
 
For quieting worms and such, use the threshold type = 'limit' , you can
than specify 1 event to be logged per 10 seconds, or 3 per 60 seconds,
600 seconds, whatever you want.  The document details the whole
functionality.
 
Marc Norton
Senior Software Engineer - Sourcefire,Inc.
410-423-1924  marc.norton () sourcefire com

Current thread:

snort 2.0.2 - Rule Thresholding Marc Norton (Sep 18)
- <Possible follow-ups>
- RE: snort 2.0.2 - Rule Thresholding JP Vossen (Sep 18)