Snort Rule Question Tags: Firewalls TCP/IP Networking Last response: November 23, 2009 5:22 PM in Networking Share tip120 November 20, 2009 3:12:52 AM How do I make this rule: # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:8;) So that it will generate alerts for the first two packets matching it's criteria, then ignore all the rest? More about : snort rule question tip120 November 20, 2009 4:18:57 AM Figured out how to do it using threshold, thanks anyway. m 0 l tip120 November 23, 2009 5:20:01 PM Quote:Hi, I actually dont know about this but, this is what I was searching for and here I got a way of putting this rule through threshold. Thanks! Yep, you just add "threshold: type limit, track by_src, count 2, seconds 300;" to the options section of your rule to only display an alert twice every 300 seconds. m 0 l Can't find your answer ? Ask ! Get the answer riser November 23, 2009 5:22:02 PM Good info, thanks for the follow up. Only saw Snorts years ago at a demo but they were pushing a 3D network topology graphing software and Snort was on the sidelines. m 0 l Can't find your answer ? Ask ! Publish Related resources Noob Question: 256 / 512 / 1024 MB - is there a rule to help me choose Forum Question on "Ready" rule in CC Forum archery charm rule question Forum [WFB] Rule question about stunties and ornithopters Forum Trophy Rule Question [LSJ] Forum [40K] - SM Rule Question Forum Question about IF Comp rule Forum Hero 5th ed. Rule question Forum Question on forum rules / forum etiquette Forum Question about Rules Forum Rules question Forum Question about Space Odyssey / Space Mission Rules Forum Copy rules question (expert?) Forum TSPP Rules Question Forum Space Ork Rules Question Forum Tech / Rules Question - Abra ca Dabra Forum Gotttlieb Domino Rules Question Forum Rules question on Freedom of Movement and Somatic components Forum Rules Question: Stunt Cycle v. First Strike Damage Forum D&D Mini's rules question: multiple attacks Forum More resources Read discussions in other Networking categories Routers Gateways VPN LAN WAN Firewalls Cisco Netgear !