Glenn Mansfield Keeni
glenn at ...1085...
Mon Dec 8 16:59:00 EST 2003
> On Sat, Dec 06, 2003 at 09:59:18AM +0900, Glenn Mansfield Keeni wrote:
>> We have also added a throttling mechanism for SNMP alerts.
>>In case there is a direct or indirect DoS attack on the IDS
>>system itself. Only MAXALERTSINONESEC alerts per second will
>>be generated. If MAXALERTSINONESEC == 0 this feature is turned
>>off. (MAXALERTSINONESEC is defined in src/output-plugins/spo_SnmpTrap.c. )
> This isn't needed. Snort CURRENT has thresholding support built in. If
> you add the following lines to your snort.conf, you will limit every
> alert to go off a thousand times in 60 seconds per SRC IP.
> threshold gen_id 0, sig_id 0, type limit, track by_src, count \
> 1000, seconds 60
Do we want the alerting mechanism and snort trap/inform mechanism to have
the same throttle.
The trap/inform is a much heavier task compared to other alerting mechanisms-
with that in mind we set the threshold for traps/informs much lowrer than
that for alerts. Of course, this feature can be nullified by setting
MAXALERTSINSEC = 0.
More information about the Snort-devel