Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Rate limiting alerts

From: Mike Kun <mkun () akamai com>
Date: Thu, 09 Dec 2010 15:04:17 -0500
Does Snort have the ability to rate-limit an alert? For example, if we
were interested to know of a maching is part of a DDOS, we coudl
threshold a rule to only fire if there are 250 syn packets in 60 secs.
But, this could fire if a user opens a webpage with lots of redirects or
ads. Therefore, if we'd like to only fire an alert if there is a
sustained number of syn packets over time, for example 50 syn packets
per second for 10 seconds.

It doesn't seem like thresholding can do this...


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: