Snort mailing list archives
Re[2]: thresholding
From: Jyri Hovila <jyri.hovila () iki fi>
Date: Tue, 23 Sep 2003 10:43:29 +0300
Hi!
I believe you need to add the thresholding arguments to the signature definition itself. Try something like: alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"Welchia"; content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32; reference:arachnids,154; sid:483; classtype:misc-activity; threshold: type limit, track by_src, count 1, seconds 60 ; rev:3;) This should limit you to one welchia alert per infected host per
In my opinion it's more useful to use track by_dst for now, until Welchia traffic reduces to a sensible level. There are so many infected hosts at this time that there's no point in trying to track by source. I'm running Snort on 10 hosts and had to radically calm down the Welchia rule in order to prevent my central database from being clogged by Welchia alerts. Here's the rule I use: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL ICMP PING \ Welchia worm [LIMITED]"; content:"|aaaa aaaa aaaa aaaa aaaa aaaa aaaa \ aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa \ aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|";itype:8; \ dsize:64; classtype:trojan-activity; sid:1000000; threshold: \ type limit, track by_dst, count 1, seconds 900;) - j. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- thresholding Doug Nordwall (Sep 22)
- Re: thresholding Chris Green (Sep 22)
- Re: thresholding Doug Nordwall (Sep 22)
- Re: thresholding Robert Vance Jr (Sep 22)
- Re: thresholding Doug Nordwall (Sep 22)
- Re[2]: thresholding Jyri Hovila (Sep 23)
- Re: Re[2]: thresholding Doug Nordwall (Sep 23)
- Re: Re[2]: thresholding Nordwall, Douglas J (Sep 24)
- Re: thresholding Doug Nordwall (Sep 22)
- Re: thresholding Chris Green (Sep 22)