[Snort-sigs] filtering with snortsam after more then one match

Matt Kettler mkettler at ...189...
Mon Dec 8 08:52:06 EST 2003


At 07:14 AM 12/8/2003, Alexandru Balan wrote:
>let's say i have a rule that outputs to fwsam which filters out the
>offending ip. Is there a way to make it ouptut to fwsam after 5 matches
>on that sig ?
>For example, i want snortsam to filter out the offending ip if snort
>detects more then 5 identic matches on a signature per 3 seconds or
>something like that. Any help would be much appreciated.


See doc/README.thresholding in the tarball.






More information about the Snort-sigs mailing list