Snort mailing list archives

Previous By Date Next
Previous By Thread Next

What different between using "threshold" and "track" for rule and flow-portscan ??

From: Lerdpong Lerdpaisarnwong <lerdpong () hotmail com>
Date: Sat, 11 Aug 2007 08:49:17 +0000
Hey everyone, I'm newbies. I used snort for detecting scanning worms which its characteristics is send packets  from 
source to many destinations to find victims so I used flow-portscan preprocessor to detect them  but then I read manual 
I found that I  can write rule that using "threshold" and "track"  . For example,alert icmp any any -> any any (msg: 
"Alert for scan worm" ; threshold: type threshold, track by_src, count 100 , seconds 1;) Does anyone know the different 
between them ?? RegardsJO
_________________________________________________________________
Did you know you can now customize your mailbox with different colours to suit your mood with the new Windows Live 
Hotmail?
http://get.live.com/mail/features
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: