Home page logo

snort logo Snort mailing list archives

Rate limiting alerts
From: Mike Kun <mkun () akamai com>
Date: Thu, 09 Dec 2010 15:04:17 -0500

Does Snort have the ability to rate-limit an alert? For example, if we
were interested to know of a maching is part of a DDOS, we coudl
threshold a rule to only fire if there are 250 syn packets in 60 secs.
But, this could fire if a user opens a webpage with lots of redirects or
ads. Therefore, if we'd like to only fire an alert if there is a
sustained number of syn packets over time, for example 50 syn packets
per second for 10 seconds.

It doesn't seem like thresholding can do this...

Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]