[Snort-sigs] general sig question
bmc at ...95...
Thu May 22 05:02:08 EDT 2003
On Thu, May 22, 2003 at 02:03:17AM -0400, d_greenjr wrote:
> Is there a way to have a rule alert-and/or log-only after the rule has been detected n amount of times from a specific source?
> For example, how can I edit the following rule to only alerts after the sensor detects this signature 20 times from a single node that is !$HOME_NET?
You can't do that in snort right now as we do not have thresholding support.
More information about the Snort-sigs