giermo at ...187...
Wed Jan 15 08:37:03 EST 2003
> Is it possible to build into the code or the conf/rules
> an option that would instruct snort to stop logging for
> based upon the source address and after "x" number of
> alerts for "x" amount of time?
This exists in the code (1.9 and 2.0 IIRC). It is an
undocumented Rule option called
"threshold". It is undocumented for a very good reason: It
very very broken.
Not sure where it is on the list of things-to-do.
More information about the Snort-users