Snort mailing list archives
Rate limiting alerts
From: Mike Kun <mkun () akamai com>
Date: Thu, 09 Dec 2010 15:04:17 -0500
Does Snort have the ability to rate-limit an alert? For example, if we were interested to know of a maching is part of a DDOS, we coudl threshold a rule to only fire if there are 250 syn packets in 60 secs. But, this could fire if a user opens a webpage with lots of redirects or ads. Therefore, if we'd like to only fire an alert if there is a sustained number of syn packets over time, for example 50 syn packets per second for 10 seconds. It doesn't seem like thresholding can do this... ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rate limiting alerts Mike Kun (Dec 09)
- Re: Rate limiting alerts Joel Esler (Dec 09)