[Snort-users] [Q] thresholding: to throttle flood of alerts

Markus Lude markus.lude at ...348...
Thu Oct 16 10:41:07 EDT 2008

On Thu, Oct 16, 2008 at 06:59:37AM +0000, Victor Klimov wrote:
> Hi Leon,
> Yeah, I know, it should work...
> But it doesn't:
> #Rule for alerting common TCP/UDP flood attack:
> alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message
> flooding directed to SIP proxy"; threshold: type limit, track by_src,
> count 1, seconds600; classtype:attempted-dos; sid:100000160; rev:2;)
> This rule above should limit the flooding alert: once in 10 min.
> However I continue to see a lot of 100000160 alerts, several per minute.
> Hmm...

Do these alerts come from different sources or the same one? As I
understand thresholds, track by_src means a separate counter for each


More information about the Snort-users mailing list