[Snort-sigs] Differences between versions

長坂耕作 nagasaka at ...2239...
Wed Feb 18 20:08:01 EST 2004


My previous email does not have the correct information.

> I solved my problem by myself. It was caused by the threshold feature.
> Although I've turned off the all preprocessors and have never writen
> any thresholds in threshold.conf, there IS the default threshhold
> which can not be disable according to doc/README.threshhold.
> Hence, rules without sids are affected by the default threshold.
> I think that the user manual should have to notice that.

I've studied this behaviour for weeks, and have just got the reason.
(Some comments let me see this behavior from another view point)

My problem was actually caused by that the threshold option in rules
without the sid option becomes the global threshold option.

Thanks,
-------
Text by Kosaku Nagasaka. [E-mail: nagasaka at ...2239...]
<Remember, success comes in "cans", failure comes in "can'ts".>
*****Note that I may read E-mails in the Text format only.*****




More information about the Snort-sigs mailing list