Solved: help need on the event count parameter of signatures

sebastan_bach · ‎12-25-2006

hi all i have a little confusion abt the event count parameter in the signatures.

i am not sure whether this parameter is for firing the signatures or for writing the events to the event store.

by default the event count is set to 1.

if i set the event count to 5 for a particular signature.

say for icmp echo request. if i set the signature event count to 5 within 10 seconds interval. and the signature action is to deny the packet inline.

then when the first icmp echo request is send will the signature be fired i mean will the packet be dropped.

or the packet will be dropped only if 5 icmp echo requests are send within 10 seconds.

can someone pls clear my doubt.

regards

sebastan

Fernando_Meza · ‎12-25-2006

Hi ..

The signature will perform the action specified on the signature .. the count event is to control the ammount of alerts you received .. in your case you will receive one alert everytime the signature fires 5 times within 10 seconds.

I hope it helps .. please rate if it it does !!!

View solution in original post

Fernando_Meza · ‎12-25-2006

Hi ..

The signature will perform the action specified on the signature .. the count event is to control the ammount of alerts you received .. in your case you will receive one alert everytime the signature fires 5 times within 10 seconds.

I hope it helps .. please rate if it it does !!!