[Snort-users] [Q] thresholding: to throttle flood of alerts

Victor Klimov vk77de at ...14012...
Wed Oct 15 14:50:22 EDT 2008


Hi Jack,

Actually I don't want do detect a flood. I already have some kind of flood,
at least according to what I get from snort.
I want to throttle the flood of 'flooding directed to SIP proxy' messages.

Even if changed the threshold values in the original rule,
I do see several in let's say 3 min.

That is what I want to throttle.

Victor




More information about the Snort-users mailing list