On Tue, 2004-09-14 at 14:28, Chris Edwards wrote: > On Tue, 14 Sep 2004, Bastiaan Spandaw wrote: > > | filter-definition list-of-hosts-under-attack > | match flows flow-treshold > | #match octets flow-treshold > | match dst-ip-addr my-network > > The line you've commented out is significant. > > It makes sense to select "flows with > 10000 octets". But I don't see how > we can select "flows with > 10000 flows".
Ah.. that makes sense. > Can you describe what info you're actually trying to obtain ? My flow-capture setup rotates every minute, I'd like to see an alarm if there are more than 10k flows for one dest. IP. (DDoS alarm) How could I setup such an alarm? Thanks, Bastiaan _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
