Set Threshold for an Intrusion Rule in Snort 3
You can set a single threshold for a rule from the Rule Detail page. Adding a threshold overwrites any existing threshold for the rule. The threshold you set for an intrusion rule is applied to each packet thread. However, the configuration is fully applied only within the context of a unique flow. There may be more alerts on different network flows, but there will not be fewer alerts than the configured number.
Procedure
| 1 |
Choose . |
| 2 |
Click Snort 3 All Rules tab. |
| 3 |
From an intrusion rule’s Alert Configuration column, click the None link. |
| 4 |
Click Edit ( |
| 5 |
In the Alert Configuration window, click the Threshold tab. |
| 6 |
From the Type drop-down list, choose the type of threshold you want to set:
|
| 7 |
Choose Source or Destination in the Track By field to indicate whether you want the event instances tracked by source or destination IP address. |
| 8 |
Enter the number of event instances you want to use as your threshold in the Count field. |
| 9 |
Enter a number that specifies the time period, in seconds, for which event instances are tracked in the Seconds field. |
| 10 |
Click Save. Refer to the video Snort 3 Suppression and Threshold for additional support and information. |
).What to do next
Deploy configuration changes; see Deploy Configuration Changes.