[Snort-users] threshold in rule definition and in threshold.conf

Jeremy Hewlett jh at ...1935...
Wed Jan 7 11:00:02 EST 2004


On Wed, Jan 07, Nerijus Krukauskas wrote:
> Let's say, I want to raise the count threshold. Will the line in 
> threshold.conf (threshold gen_id 1, sig_id 2274, type threshold, track 
> by_dst, count 10, seconds 60;) give me the desired result?

This should error, you can't apply multiple thresholds to the same
sid.

> In other words, will the custom made thresholds in threshold.conf
> override those in the definition of rules?

Thresholds in a rule will override other thresholds (ie: globals).






More information about the Snort-users mailing list