[Snort-users] Threshold vs. Limit

Nerijus Krukauskas nk99 at ...10637...
Thu Aug 26 22:40:19 EDT 2004


Lyndon Tiu wrote:
 >
 > I have these two lines in /etc/snort/threshold.conf
 >
 > threshold gen_id 0, sig_id 0, type threshold, track by_src, count 
10, seconds 60
 >
 > threshold gen_id 0, sig_id 0, type limit, track by_src, count 1, 
seconds 60
 >
 > My intention is to only log one unique alert from a unique source 
every 60 seconds(to prevent DDOS). BUT, I also want to log if 10 
alerts are recieved from a unqiue source in a 60 second period (to 
detect DDOS attempts).
 >
 > I wonder if my config above is correct or am I missing something?

   Instead of two lines, I'd use one with 'type both' and the 
count/seconds set to the values needed. Of course, this is not exactly 
what you want, but you can only have just one 'threshold' rule per 
gid-sid pair. Snort will barf on you, if you have more.

   And count yourself how many drinks :-D you should take for this 
question: http://www.theadamsfamily.net/~erek/snort/drinking_game.txt

-- 
http://nk.tinkle.lt/

That's the difference between me and the rest of the world! Happiness 
isn't good enough for me! I demand euphoria! -- Calvin




More information about the Snort-users mailing list