Snort mailing list archives
Re: thresholding not working
From: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>
Date: Wed, 19 Jan 2011 13:20:23 -0500
Russ,
The following lines within our threshold.conf file do not work, we are still getting alerts for them as soon as snort
detects them, not the 3600 seconds we have it set for:
event_filter gen_id 1, sig_id 384, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 408, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 366, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 128, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 648, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 1394, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 2006402, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 2001219, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 124, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 122, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 2006380, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 3, sig_id 119, type limit, track by_src, count 1, seconds 3600
----- Original Message -----
From: Russ Combs
To: Lawrence R. Hughes, Sr.
Cc: Weir, Jason ; snort-users () lists sourceforge net
Sent: Wednesday, January 19, 2011 1:15 PM
Subject: Re: [Snort-users] thresholding not working
OK - can you be more specific about how it isn't working for you?
On Wed, Jan 19, 2011 at 12:20 PM, Lawrence R. Hughes, Sr. <lhughes () safemedia com> wrote:
Yes, we have the include statement in our snort.conf
Thanks,
Larry
----- Original Message -----
From: Weir, Jason
To: Lawrence R. Hughes, Sr. ; snort-users () lists sourceforge net
Sent: Wednesday, January 19, 2011 12:10 PM
Subject: RE: [Snort-users] thresholding not working
do you have a line in your snort.conf like this
# Event thresholding or suppression commands. See threshold.conf
include threshold.conf
have you tried to suppress them? What happens?
-J
-----Original Message-----
From: Lawrence R. Hughes, Sr. [mailto:lhughes () safemedia com]
Sent: Wednesday, January 19, 2011 11:55 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] thresholding not working
Hi,
We have tried everything to get thresholding (threshold.conf) working in 2.8.6.1?
Here is our code within threshold.conf:
event_filter gen_id 1, sig_id 384, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 408, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 366, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 128, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 648, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 1394, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 2006402, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 2001219, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 124, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 122, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 1, sig_id 2006380, type limit, track by_src, count 1, seconds 3600
event_filter gen_id 3, sig_id 119, type limit, track by_src, count 1, seconds 3600
What are we doing wrong or is thresholding broken?
Thanks,
Larry
_____________________________________________________________________________________________
Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand
malware threats, the impact they can have on your business, and how you
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- thresholding not working Lawrence R. Hughes, Sr. (Jan 19)
- Re: thresholding not working Russ Combs (Jan 19)
- Re: thresholding not working Lawrence R. Hughes, Sr. (Jan 19)
- Re: thresholding not working Weir, Jason (Jan 19)
- Re: thresholding not working Lawrence R. Hughes, Sr. (Jan 19)
- Re: thresholding not working Russ Combs (Jan 19)
- Re: thresholding not working Lawrence R. Hughes, Sr. (Jan 19)
- Re: thresholding not working Russ Combs (Jan 19)
- Re: thresholding not working Lawrence R. Hughes, Sr. (Jan 19)
- Re: thresholding not working Lawrence R. Hughes, Sr. (Jan 19)
- Re: thresholding not working Russ Combs (Jan 19)