[Snort-users] threshold in rule definition and in threshold.conf
nk99 at ...10637...
Wed Jan 7 04:15:02 EST 2004
There're some rules that have threshold limits in their definition.
E.g. alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 login
brute force attempt"; flow:to_server,established; content:"USER";
nocase; threshold:type threshold, track by_dst, count 5, seconds 60;
classtype:suspicious-login; sid:2274; rev:1;).
Let's say, I want to raise the count threshold. Will the line in
threshold.conf (threshold gen_id 1, sig_id 2274, type threshold, track
by_dst, count 10, seconds 60;) give me the desired result? In other
words, will the custom made thresholds in threshold.conf override
those in the definition of rules?
NK @ Vilnius
"... the Mayo Clinic, named after its founder, Dr. Ted Clinic ..." --
More information about the Snort-users