[Snort-sigs] Limiting Alert Rates? Newbie

Erek Adams erek at ...95...
Tue Aug 26 14:52:04 EDT 2003

On Tue, 26 Aug 2003, Jacob Roberts wrote:


> Is there a way to write a rule (or something else) to only through an
> alert after X matches?  We would set it at something like 1000 pings
> throws an alert, rather than a separate alert for each ping.


Snort does not have any sort of thresholding ability.

Swatch can sorta do this, but you'd have to parse syslog data and then
send over a 'psudeo alert'.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-sigs mailing list