Re: Threshold settings

[Brian <bmc () snort org>]

On Wed, Dec 31, 2003 at 03:17:28PM -0500, Jeff Kell wrote:
> (1) Do you have to make entries in threshold.conf for these SIDs?  In 
> the supplied threshold.conf there are no active directives, only 
> comments.  In other words, doesn't defining the thresholds within the 
> SID going to set the threshold settings, or do you have to duplicate 
> them in threshold.conf as well?

You should put your thresholds in threshold.conf.  

This file is NOT included by default because of the average upgrade
case.  In the cases we were told about, people were not including
copying threshold.conf during their upgrade.  

In the future, threshold.conf will be included by default.  

Who knows... we might add some default thresholding in threshold.conf
eventually.

> (2) Both rules are tracking by_dst.  Our central POP/IMAP servers are 
> logging lots of these sigs (lots of people logging in or periodically 
> checking for new mail).  Shouldn't they be tracking by_src instead?

These were done this way to catch distributed brute force login
attempts.  The threshold values should be tweaked for your
environment.  In the future, these rules will be off by default.

Brian


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users