[Snort-users] activate dynamic
erek at ...950...
Tue Jul 22 06:56:02 EDT 2003
On Tue, 22 Jul 2003, Slighter, Tim wrote:
> yes precisely. or the other way around too...where the number of times a
> rule is fired is counted and then to STOP alerting when it reaches a certain
Nope. No thresholding of any type.
Now, there is a possible workaround...
Use swatch and it's 'throttle' option. That will perform almost as you
want. Then once that threshold is done, have swatch cause a very specific
alert that actually generates the data you want.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users