[Snort-devel] Snort-snmp

Glenn Mansfield Keeni glenn at ...1085...
Mon Dec 8 16:59:00 EST 2003


Brian,
Brian wrote:

> On Sat, Dec 06, 2003 at 09:59:18AM +0900, Glenn Mansfield Keeni wrote:
> 
>>  We have also added a throttling mechanism for SNMP alerts.
>>In case there is a direct or indirect DoS attack on the IDS
>>system itself. Only MAXALERTSINONESEC alerts per second will
>>be generated. If MAXALERTSINONESEC == 0 this feature is turned
>>off. (MAXALERTSINONESEC is defined in src/output-plugins/spo_SnmpTrap.c. )
> 
> 
> This isn't needed.  Snort CURRENT has thresholding support built in.  If
> you add the following lines to your snort.conf, you will limit every
> alert to go off a thousand times in 60 seconds per SRC IP.
> 
>     threshold gen_id 0, sig_id 0, type limit, track by_src, count \
>         1000, seconds 60

Do we want the alerting mechanism and snort trap/inform mechanism to have
the same throttle.
The trap/inform is a much heavier task compared to other alerting mechanisms-
with that in mind we set the threshold for traps/informs much lowrer than
that for alerts. Of course, this feature can be nullified by setting
MAXALERTSINSEC = 0.
> 
> Brian

Glenn







More information about the Snort-devel mailing list