[Snort-users] global threshold
jh at ...1935...
Thu Feb 3 12:43:56 EST 2005
On Wed, Feb 02, Peggy Kam wrote:
> threshold gen_id 0, sig_id 0, type both, track by_src, count 5, seconds
> My interpretation of the above is
> each given host can only trigger one alert per rule per 60 seconds, but
> only if we exceed 5 events per rule in 60 seconds
Thresholding does not currently support per-IP tracking. "src" refers
to all source IPs triggering that event.
More information about the Snort-users