Snort mailing list archives

RE: Any way to do "default" threshold?

From: "Basselgia, Barry A Mr (NAF Atsugi)" <BABasselgia () atsugi navy mil>
Date: Mon, 20 Dec 2004 08:59:52 +0900

How would this "default" threshold work if you already had other thresholds
set for specific sig_id's?

Will this override the other thresholds?

Barry


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jeremy
Hewlett
Sent: Saturday, December 18, 2004 12:15 AM
To: Snort Users
Subject: Re: [Snort-users] Any way to do "default" threshold?


On Fri, Dec 17, Jeff Kell wrote:

Is there a way to set some sort of "default" threshold for alerts?  When 
a virus/bot/worm/script-kiddie starts scanning a host or scanning a 
subnet, I am not really interested in an alert for every one of their 
thousands of packets.  Some default threshold by_src with a count and 
time would be nice, but maybe I'm dreaming...



threshold gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60

That logs one event per 60 seconds per IP triggering any alert for any
event generator. Something similar to that should work for you.




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Any way to do "default" threshold? Basselgia, Barry A Mr (NAF Atsugi) (Dec 19)
- Re: Any way to do "default" threshold? Jeremy Hewlett (Dec 20)