During an attack you'll want to lower CT_LIMIT down to around 100, but if you set it to anything lower than that you'll probably begin to see false positives. You can use the "netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr" command to help you fine tune the limit. I...