[Snort-users] snort 2.0.2 - Rule Thresholding

Marc Norton marc.norton at ...1935...
Thu Sep 18 05:40:47 EDT 2003


The new thresholding feature  supports both rule specific thresholding
and global thresholding to quiet all of the rules down.  Using global
thresholding requires you to use a sig_id value of -1 in the 'threshold'
command instead of a specific rule sig_id .  I am posting this tid bit
because I don't think the global thresholding made it into the
documentation.  The rule specific thresholding and rule suppression is
documented in the 'doc/README.thresholding' file.  
 
For quieting worms and such, use the threshold type = 'limit' , you can
than specify 1 event to be logged per 10 seconds, or 3 per 60 seconds,
600 seconds, whatever you want.  The document details the whole
functionality.
 
Marc Norton
Senior Software Engineer - Sourcefire,Inc.
410-423-1924  marc.norton at ...1935...
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030918/2c29d814/attachment.html>


More information about the Snort-users mailing list