[Snort-users] global threshold

Jeremy Hewlett jh at ...1935...
Thu Feb 3 12:43:56 EST 2005


On Wed, Feb 02, Peggy Kam wrote:
> 
> threshold gen_id 0, sig_id 0, type both, track by_src, count 5, seconds
> 60
> 
> My interpretation of the above is 
> each given host can only trigger one alert per rule per 60 seconds, but
> only if we exceed 5 events per rule in 60 seconds

Thresholding does not currently support per-IP tracking. "src" refers
to all source IPs triggering that event.





More information about the Snort-users mailing list