Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: threshold in rule definition and in threshold.conf

From: Nerijus Krukauskas <nkrukauskas () lb lt>
Date: Thu, 08 Jan 2004 08:43:04 +0200
Jeremy Hewlett wrote:

On Wed, Jan 07, Nerijus Krukauskas wrote:
Let's say, I want to raise the count threshold. Will the line in threshold.conf (threshold gen_id 1, sig_id 2274, type threshold, track by_dst, count 10, seconds 60;) give me the desired result? 


This should error, you can't apply multiple thresholds to the same
sid.
Right. Just after sending the original e-mail, I realized that I can try this on my test SNORT. And yes, it triggered an error. And I must go for a drink... :) (This is covered in README.thresholding)
Anyway, I already got Oinkmaster update with the IMAP/POP thresholds raised. Thanks! 


In other words, will the custom made thresholds in threshold.conf
override those in the definition of rules?



Thresholds in a rule will override other thresholds (ie: globals).
Can the above sentence be included in the README.thresholding? Or have I missed that point while reading it? 

--
NK @ Vilnius
nk.tinkle.lt


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: