[Oisf-users] Total packets variable?

Xavier Romero XRomero at nexica.com
Mon Sep 22 06:48:23 UTC 2014


It's easy to set up rules to trigger when there're more than x pkts by using type "threshold". But I would find very useful also to define rules that catches for example when an IP address uses more than x% of the total packets; is that possible in any way?

Which I wish is to quickly catch a DDOS, and for us, rather than setting a static limit for pkts (that could be occasionally hit by high traffic sites), would work way better the chance to set a rule that catches for example when an IP address is present in more than 90% of the total packets.

Best regards,
Xavier Romero
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140922/3fe23605/attachment.html>

More information about the Oisf-users mailing list