[Snort-users] [Q] thresholding

Victor Klimov vk77de at ...14012...
Wed Oct 15 09:54:36 EDT 2008


What could be changed in the following rule, so that thresholding would work?

#Rule for alerting common TCP/UDP flood attack:
alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message
flooding directed to SIP proxy"; threshold: type both, track by_src,
count 1, seconds 1600; classtype:attempted-dos; sid:100000160; rev:2;)



More information about the Snort-users mailing list