Re[2]: thresholding

[Jyri Hovila <jyri.hovila () iki fi>]

Hi!

> > I believe you need to add the thresholding arguments to the signature
> > definition itself.  Try something like:
> >
> > alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"Welchia"; 
> > content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32; 
> > reference:arachnids,154; sid:483; classtype:misc-activity; threshold:
> > type limit, track by_src, count 1, seconds 60 ; rev:3;)
> >
> > This should limit you to one welchia alert per infected host per 

In my opinion it's more useful to use track by_dst for now, until
Welchia traffic reduces to a sensible level. There are so many infected
hosts at this time that there's no point in trying to track by source.
I'm running Snort on 10 hosts and had to radically calm down the Welchia
rule in order to prevent my central database from being clogged by
Welchia alerts. Here's the rule I use:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL ICMP PING \
Welchia worm [LIMITED]"; content:"|aaaa aaaa aaaa aaaa aaaa aaaa aaaa \
aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa \
aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|";itype:8; \
dsize:64; classtype:trojan-activity; sid:1000000; threshold: \
type limit, track by_dst, count 1, seconds 900;)

- j.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users