Snort mailing list archives
Threshold Bug - 2.2.0-RC1
From: Rich Adamson <radamson () routers com>
Date: Wed, 30 Jun 2004 14:20:22 -0600
Bug Report:
I'm trying the following threshold rule in local.rules on 2.2.0-RC1 (Win32): alert tcp $HOME_NET any -> any any (msg: "High SYN Traffic"; flags:S; threshold: type limit, track by_src, count 6, seconds 60; classtype:misc-activity; sid: 1000002; rev:1;) and receive: ERROR: *** threshold: count *** Invalid integer input: 6 Fatal Error, Quitting..
adding the following to the above rule: content:" "; offset:0; allows snort to run successfully. I believe this is the same bug that Chris Reid addressed a week or so ago and sent me a pre-RC1 Win32 install to test. That "did" correct the problem, but does not seem to have made it into RC1. (Maybe has something to do with moving cvs servers?)
From what Chris mentioned at the time, the bug is related to not
having "any form of interger" prior to the threshold quad values. Inserting the content:" "; offset:0; creates that integer value prior to the threshold and fixes the abort, even though adding those makes no sense from a rule perpsecitve. The above rule was actually intended to help identify high rates of tcp SYN traffic (eg, viruses, trojans) generated by internal ISP customer machines. As such, there is no desire to have a content or offset parameter. Rich ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Thresholding problem: ERROR: *** threshold: gen_id / *** Invalid integer input: 0 Uso (Jun 30)
- Re: Thresholding problem: ERROR: *** threshold: gen_id / *** Invalid integer input: 0 Chris Reid (Jun 30)
- Re: Thresholding problem: ERROR: *** threshold: gen_id / *** Invalid integer input: 0 Rich Adamson (Jun 30)
- Re: Thresholding problem: ERROR: *** threshold: gen_id / *** Invalid integer input: 0 Rich Adamson (Jun 30)
- Threshold rule syntax? Rich Adamson (Jun 30)
- Threshold Bug - 2.2.0-RC1 Rich Adamson (Jun 30)
- Re: Thresholding problem: ERROR: *** threshold: gen_id / *** Invalid integer input: 0 Chris Reid (Jun 30)