Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort event filtering

From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 14 Nov 2012 12:08:54 -0500
On Tue, Nov 13, 2012 at 11:52 PM, amin Salehi <seyedamin_salehi () yahoo com>wrote:


hi.i write the following command in threshold.conf:
event_filter gen_id 1, sig_id 1000001, track by_src, type both,count 3,
seconds 10
according to snort 2.9.3.1 manual this command mean that if 3 match occur
then process 1 event in 10 seconds.
but when i run snort from begining in every 10 second 1 event is
processed(1 alert display on screen).what is the problem?

That is working correctly.  From the manual:


"Type both alerts once per time interval after seeing m occurrences of the
  event, then ignores any additional events during the time interval."




------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: