[Snort-sigs] general sig question

Brian bmc at ...95...
Thu May 22 05:02:08 EDT 2003


On Thu, May 22, 2003 at 02:03:17AM -0400, d_greenjr wrote:
> Is there a way to have a rule alert-and/or log-only after the rule has been detected n amount of times from a specific source?
> 
> For example, how can I edit the following rule to only alerts after the sensor detects this signature 20 times from a single node that is !$HOME_NET?

You can't do that in snort right now as we do not have thresholding support.

-brian




More information about the Snort-sigs mailing list