[Snort-sigs] general sig question

Brian bmc at ...95...
Thu Feb 5 16:21:03 EST 2004


On Tue, May 27, 2003 at 03:45:35PM -0700, Tom Arseneault wrote:
> On Thu, May 22, 2003 at 02:03:17AM -0400, d_greenjr wrote:
> > Is there a way to have a rule alert-and/or log-only after the rule
> > has been detected n amount of times from a specific source?
> > 
> > For example, how can I edit the following rule to only alerts after
> > the sensor detects this signature 20 times from a single node that
> > is !$HOME_NET?
> 
> You can't do that in snort right now as we do not have thresholding
> support.

now that we have thresholding support, you can do this.

Ad this to your rule:
    threshold:type threshold,track by_src,count 5,seconds 60;

-brian




More information about the Snort-sigs mailing list