Re: Threshold vs. Limit

[Nerijus Krukauskas <nk99 () delfi lt>]

Lyndon Tiu wrote:
>
> I have these two lines in /etc/snort/threshold.conf
>
> threshold gen_id 0, sig_id 0, type threshold, track by_src, count 
10, seconds 60
>
> threshold gen_id 0, sig_id 0, type limit, track by_src, count 1, 
seconds 60
>
> My intention is to only log one unique alert from a unique source 
every 60 seconds(to prevent DDOS). BUT, I also want to log if 10 
alerts are recieved from a unqiue source in a 60 second period (to 
detect DDOS attempts).
>
> I wonder if my config above is correct or am I missing something?

  Instead of two lines, I'd use one with 'type both' and the 
count/seconds set to the values needed. Of course, this is not exactly 
what you want, but you can only have just one 'threshold' rule per 
gid-sid pair. Snort will barf on you, if you have more.

  And count yourself how many drinks :-D you should take for this 
question: http://www.theadamsfamily.net/~erek/snort/drinking_game.txt

--
http://nk.tinkle.lt/

That's the difference between me and the rest of the world! Happiness 
isn't good enough for me! I demand euphoria! -- Calvin


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users