[Snort-users] activate dynamic

Erek Adams erek at ...950...
Tue Jul 22 06:56:02 EDT 2003


On Tue, 22 Jul 2003, Slighter, Tim wrote:

> yes precisely.  or the other way around too...where the number of times a
> rule is fired is counted and then to STOP alerting when it reaches a certain
> threshold

Nope.  No thresholding of any type.

Now, there is a possible workaround...

Use swatch and it's 'throttle' option.  That will perform almost as you
want.  Then once that threshold is done, have swatch cause a very specific
alert that actually generates the data you want.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list