[Snort-users] threshold in rule definition and in threshold.conf

Nerijus Krukauskas nk99 at ...10637...
Wed Jan 7 04:15:02 EST 2004


   There're some rules that have threshold limits in their definition. 
E.g. alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 login 
brute force attempt"; flow:to_server,established; content:"USER"; 
nocase; threshold:type threshold, track by_dst, count 5, seconds 60; 
classtype:suspicious-login; sid:2274; rev:1;).

   Let's say, I want to raise the count threshold. Will the line in 
threshold.conf (threshold gen_id 1, sig_id 2274, type threshold, track 
by_dst, count 10, seconds 60;) give me the desired result? In other 
words, will the custom made thresholds in threshold.conf override 
those in the definition of rules?

-- 
NK @ Vilnius
nk.tinkle.lt

"... the Mayo Clinic, named after its founder, Dr. Ted Clinic ..." -- 
Dave Barry





More information about the Snort-users mailing list