Re: Broken thresholding in 2923.1 and 2924.1?

Thanks for the clarification; you are correct about the intent of the 
rule.  Will put a bug in to have this changed. 

Judy
nnposter@xxxxxxxxxxxxxxxxxxxxx wrote:

> Judy Novak wrote:
>  
>
> > I think this is a personal or site preference whether you want to track 
> > by source or destination.  The logic of tracking by source is that if 
> > you have an attacker attempting multiple logins to one or more hosts in 
> > a short period of time, the alert should fire.
> >
> > If you track by destination, you run the slight risk of having the alert 
> > go off if multiple users have failed logins within a short amount of time.
> >    
>
> That's exactly my issue with the current version. Please note that the packet
> signature is for the *reply* so the attacker is the *destination*, not source.
>
> Cheers,
> nnposter
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>  




-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl