|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Snort-users] threshold in rule definition and in threshold.conf
From: Nerijus Krukauskas (nkrukauskas
lb.lt)
Date: Thu Jan 08 2004 - 00:43:04 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jeremy Hewlett wrote:
> On Wed, Jan 07, Nerijus Krukauskas wrote:
>
>>Let's say, I want to raise the count threshold. Will the line in
>>threshold.conf (threshold gen_id 1, sig_id 2274, type threshold, track
>>by_dst, count 10, seconds 60;) give me the desired result?
>
>
> This should error, you can't apply multiple thresholds to the same
> sid.
Right. Just after sending the original e-mail, I realized that I
can try this on my test SNORT. And yes, it triggered an error. And I
must go for a drink... :) (This is covered in README.thresholding)
Anyway, I already got Oinkmaster update with the IMAP/POP
thresholds raised. Thanks!
>>In other words, will the custom made thresholds in threshold.conf
>>override those in the definition of rules?
>
>
> Thresholds in a rule will override other thresholds (ie: globals).
Can the above sentence be included in the README.thresholding? Or
have I missed that point while reading it?
--
NK Vilnius
nk.tinkle.lt
-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]