[Snort-devel] Snort-snmp

Brian bmc at ...835...
Fri Dec 5 18:03:01 EST 2003


On Sat, Dec 06, 2003 at 09:59:18AM +0900, Glenn Mansfield Keeni wrote:
>   We have also added a throttling mechanism for SNMP alerts.
> In case there is a direct or indirect DoS attack on the IDS
> system itself. Only MAXALERTSINONESEC alerts per second will
> be generated. If MAXALERTSINONESEC == 0 this feature is turned
> off. (MAXALERTSINONESEC is defined in src/output-plugins/spo_SnmpTrap.c. )

This isn't needed.  Snort CURRENT has thresholding support built in.  If
you add the following lines to your snort.conf, you will limit every
alert to go off a thousand times in 60 seconds per SRC IP.

    threshold gen_id 0, sig_id 0, type limit, track by_src, count \
        1000, seconds 60

Brian




More information about the Snort-devel mailing list