[Snort-users] Thresholding

Erwin Van de Velde erwin.vandevelde at ...10361...
Sat Nov 22 07:28:02 EST 2003


Is it possible to make a threshold that does per-source checking? I don't know 
if this is the right English termniology, so I'll tell what I really want to 
say :-)
Let's say you have a SSH server, and you would like to block an IP if more 
than 5 login attempts (TCP-SYN packets to port 22) come from that IP in a 
minute. On the other hand, it's a busy server, so 5 login attempts from 
different locations (IP addresses thus) in one minute should be possible.

Can I do this with thresholding? How? And if it is not possible... are there 
other ways to get this done?

Thanks in advance,

More information about the Snort-users mailing list