Threshold Bug - 2.2.0-RC1

[Rich Adamson <radamson () routers com>]

Bug Report:

> I'm trying the following threshold rule in local.rules  on 2.2.0-RC1 (Win32):
>
> alert tcp $HOME_NET any -> any any (msg: "High SYN Traffic"; flags:S; threshold: type 
> limit, track by_src, count 6, seconds 60; classtype:misc-activity; sid: 1000002; rev:1;)
>
> and receive:
> ERROR: *** threshold: count
> *** Invalid integer input: 6
> Fatal Error, Quitting..
 
adding the following to the above rule:
 content:" "; offset:0;
allows snort to run successfully.

I believe this is the same bug that Chris Reid addressed a week or so ago
and sent me a pre-RC1 Win32 install to test. That "did" correct the problem,
but does not seem to have made it into RC1. (Maybe has something to do
with moving cvs servers?)

> From what Chris mentioned at the time, the bug is related to not
having "any form of interger" prior to the threshold quad values.
Inserting the content:" "; offset:0; creates that integer value
prior to the threshold and fixes the abort, even though adding
those makes no sense from a rule perpsecitve.

The above rule was actually intended to help identify high rates of
tcp SYN traffic (eg, viruses, trojans) generated by internal ISP 
customer machines. As such, there is no desire to have a content 
or offset parameter.

Rich




-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users