RE: suggestion?

[Steve Halligan <giermo () geeksquad com>]

>  Is it possible to build into the code or the conf/rules
files 
> an option that would instruct snort to stop logging for
this alert
> based upon the source address and after "x" number of
similar 
> alerts for "x" amount of time?

This exists in the code (1.9 and 2.0 IIRC).  It is an
undocumented Rule option called
"threshold".  It is undocumented for a very good reason:  It
is 
very very broken.  

Not sure where it is on the list of things-to-do.

-steve


-------------------------------------------------------
This SF.NET email is sponsored by: Take your first step towards giving 
your online business a competitive advantage. Test-drive a Thawte SSL 
certificate - our easy online guide will show you how. Click here to get 
started: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users