|
|
Re: Broken thresholding in 2923.1 and 2924.1?: msg#00156security.ids.snort.sigs
Judy Novak wrote: > I think this is a personal or site preference whether you want to track > by source or destination. The logic of tracking by source is that if > you have an attacker attempting multiple logins to one or more hosts in > a short period of time, the alert should fire. > > If you track by destination, you run the slight risk of having the alert > go off if multiple users have failed logins within a short amount of time. That's exactly my issue with the current version. Please note that the packet signature is for the *reply* so the attacker is the *destination*, not source. Cheers, nnposter ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Broken thresholding in 2923.1 and 2924.1?: 00156, Judy Novak |
|---|---|
| Next by Date: | Re: Broken thresholding in 2923.1 and 2924.1?: 00156, Judy Novak |
| Previous by Thread: | Re: Broken thresholding in 2923.1 and 2924.1?i: 00156, Judy Novak |
| Next by Thread: | Re: Broken thresholding in 2923.1 and 2924.1?: 00156, Judy Novak |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |