Home page logo
/

snort logo Snort mailing list archives

Re: Using detection_filter instead of threshold
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 27 Oct 2010 12:05:16 -0400

From the README:

"Since potentially many events will be generated, a detection_filter would
normally
be used in conjunction with an event_filter to reduce the number of logged
events."

Joel

On Wed, Oct 27, 2010 at 11:13 AM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt () gmail com>wrote:

Hello.  I have always enjoyed the 'threshold' ability of snort but
from what I read, it is going away and replaced by 'detection_filter'.
 My desire is to have 'threshold: type: limit' capability but the
snort manual says detection_filter, "defines a rate which must be
exceeded by a source or destination host before a rule can generate an
event."  So how can I use detection_filter to limit the number of
times a rule alerts in a given time period?

Thank you.

L0rd C.


------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America
contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in
marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




-- 
Joel Esler
302-223-5974
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault