Snort mailing list archives
threshold in rule definition and in threshold.conf
From: Nerijus Krukauskas <nk99 () delfi lt>
Date: Wed, 07 Jan 2004 14:14:10 +0200
There're some rules that have threshold limits in their definition. E.g. alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 login brute force attempt"; flow:to_server,established; content:"USER"; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2274; rev:1;).
Let's say, I want to raise the count threshold. Will the line in threshold.conf (threshold gen_id 1, sig_id 2274, type threshold, track by_dst, count 10, seconds 60;) give me the desired result? In other words, will the custom made thresholds in threshold.conf override those in the definition of rules?
-- NK @ Vilnius nk.tinkle.lt"... the Mayo Clinic, named after its founder, Dr. Ted Clinic ..." -- Dave Barry
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- threshold in rule definition and in threshold.conf Nerijus Krukauskas (Jan 07)
- Re: threshold in rule definition and in threshold.conf Jeremy Hewlett (Jan 07)
- Re: threshold in rule definition and in threshold.conf Nerijus Krukauskas (Jan 12)
- Re: threshold in rule definition and in threshold.conf Jeremy Hewlett (Jan 07)