[Snort-users] global threshold

Peggy Kam ppkam at ...11126...
Wed Feb 2 08:24:28 EST 2005


Hi,

I have the following threshold set in threshold.conf:

threshold gen_id 0, sig_id 0, type both, track by_src, count 5, seconds
60

My interpretation of the above is 
each given host can only trigger one alert per rule per 60 seconds, but
only if we exceed 5 events per rule in 60 seconds

However, it seems to me that it only log 1 alert and once the threshold
and limit is reached, the rest of the events are being ignored within
that 60 seconds.  And that only 1 alert among all rules is being
triggered.  Can anyone please tell me if it's possible to achieve my
interpretation.  If so, how?

Thanks in advance,
Peggy






More information about the Snort-users mailing list