[Snort-users] [Q] thresholding: to throttle flood of alerts
vk77de at ...14012...
Wed Oct 15 14:50:22 EDT 2008
Actually I don't want do detect a flood. I already have some kind of flood,
at least according to what I get from snort.
I want to throttle the flood of 'flooding directed to SIP proxy' messages.
Even if changed the threshold values in the original rule,
I do see several in let's say 3 min.
That is what I want to throttle.
More information about the Snort-users