Snort mailing list archives

Previous By Date Next
Previous By Thread Next

global threshold quesiton

From: David Wilburn <bug () gecko roadtoad net>
Date: Mon, 29 Mar 2004 04:44:44 -0800
Quick question regarding global thresholds.  Consider the following:

threshold gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60

Does this specify that each given host can only trigger one alert per
minute, or that each given host can only trigger one alert per rule
per minute?  If it is the former, how can I achieve the latter instead?

I am trying to avoid a situation in which a worm, autorooter, or
rapid-working human attacker were able to use scan or chaff traffic
to prevent the logging of more important attack rules.

-Dave Wilburn


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: