[Snort-users] snort 2.0.2 - Rule Thresholding
marc.norton at ...1935...
Thu Sep 18 05:40:47 EDT 2003
The new thresholding feature supports both rule specific thresholding
and global thresholding to quiet all of the rules down. Using global
thresholding requires you to use a sig_id value of -1 in the 'threshold'
command instead of a specific rule sig_id . I am posting this tid bit
because I don't think the global thresholding made it into the
documentation. The rule specific thresholding and rule suppression is
documented in the 'doc/README.thresholding' file.
For quieting worms and such, use the threshold type = 'limit' , you can
than specify 1 event to be logged per 10 seconds, or 3 per 60 seconds,
600 seconds, whatever you want. The document details the whole
Senior Software Engineer - Sourcefire,Inc.
410-423-1924 marc.norton at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users