[Snort-users] Threshold vs. Limit
nk99 at ...10637...
Thu Aug 26 22:40:19 EDT 2004
Lyndon Tiu wrote:
> I have these two lines in /etc/snort/threshold.conf
> threshold gen_id 0, sig_id 0, type threshold, track by_src, count
10, seconds 60
> threshold gen_id 0, sig_id 0, type limit, track by_src, count 1,
> My intention is to only log one unique alert from a unique source
every 60 seconds(to prevent DDOS). BUT, I also want to log if 10
alerts are recieved from a unqiue source in a 60 second period (to
detect DDOS attempts).
> I wonder if my config above is correct or am I missing something?
Instead of two lines, I'd use one with 'type both' and the
count/seconds set to the values needed. Of course, this is not exactly
what you want, but you can only have just one 'threshold' rule per
gid-sid pair. Snort will barf on you, if you have more.
And count yourself how many drinks :-D you should take for this
That's the difference between me and the rest of the world! Happiness
isn't good enough for me! I demand euphoria! -- Calvin
More information about the Snort-users