[Snort-users] [Q] thresholding: to throttle flood of alerts

Leon Ward seclists at ...14165...
Wed Oct 15 17:24:31 EDT 2008


You are looking for "limit", or rather "both" limit and threshold

Take a look at README.thresholding in the /doc directory and the link  



On 15 Oct 2008, at 19:50, Victor Klimov wrote:

> Hi Jack,
> Actually I don't want do detect a flood. I already have some kind of  
> flood,
> at least according to what I get from snort.
> I want to throttle the flood of 'flooding directed to SIP proxy'  
> messages.
> Even if changed the threshold values in the original rule,
> I do see several in let's say 3 min.
> That is what I want to throttle.
> Victor
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's  
> challenge
> Build the coolest Linux based applications with Moblin SDK & win  
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in  
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list