Home page logo
/

snort logo Snort mailing list archives

Re: Using detection_filter instead of threshold
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 28 Oct 2010 09:24:03 -0400

On Oct 28, 2010, at 9:19 AM, infosec posts wrote:

It looks like in-rule thresholding is
applying to each stream that matches the rule now, instead of
squelching the rule itself (if that makes sense).


No, that is correct as designed.  Thresholds (and most things in Snort) happen per-stream. (flow)

Joel


------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault