Snort mailing list archives
Re: Threshold settings
From: Brian <bmc () snort org>
Date: Wed, 7 Jan 2004 15:34:46 -0500
On Wed, Dec 31, 2003 at 03:17:28PM -0500, Jeff Kell wrote:
(1) Do you have to make entries in threshold.conf for these SIDs? In the supplied threshold.conf there are no active directives, only comments. In other words, doesn't defining the thresholds within the SID going to set the threshold settings, or do you have to duplicate them in threshold.conf as well?
You should put your thresholds in threshold.conf. This file is NOT included by default because of the average upgrade case. In the cases we were told about, people were not including copying threshold.conf during their upgrade. In the future, threshold.conf will be included by default. Who knows... we might add some default thresholding in threshold.conf eventually.
(2) Both rules are tracking by_dst. Our central POP/IMAP servers are logging lots of these sigs (lots of people logging in or periodically checking for new mail). Shouldn't they be tracking by_src instead?
These were done this way to catch distributed brute force login attempts. The threshold values should be tweaked for your environment. In the future, these rules will be off by default. Brian ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Threshold settings Brian (Jan 07)