bmc at ...835...
Fri Dec 5 18:03:01 EST 2003
On Sat, Dec 06, 2003 at 09:59:18AM +0900, Glenn Mansfield Keeni wrote:
> We have also added a throttling mechanism for SNMP alerts.
> In case there is a direct or indirect DoS attack on the IDS
> system itself. Only MAXALERTSINONESEC alerts per second will
> be generated. If MAXALERTSINONESEC == 0 this feature is turned
> off. (MAXALERTSINONESEC is defined in src/output-plugins/spo_SnmpTrap.c. )
This isn't needed. Snort CURRENT has thresholding support built in. If
you add the following lines to your snort.conf, you will limit every
alert to go off a thousand times in 60 seconds per SRC IP.
threshold gen_id 0, sig_id 0, type limit, track by_src, count \
1000, seconds 60
More information about the Snort-devel