Snort mailing list archives
Re: thresholding not working
From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 19 Jan 2011 13:24:48 -0500
On Wed, Jan 19, 2011 at 1:20 PM, Lawrence R. Hughes, Sr. < lhughes () safemedia com> wrote:
Russ, The following lines within our threshold.conf file do not work, we are still getting alerts for them as soon as snort detects them, not the 3600 seconds we have it set for:
The configs below will output 1 event per sid each 3600 seconds by source IP, starting with the 1st event. Are you getting more than one event per source IP for the same sid in less than 3600 seconds?
event_filter gen_id 1, sig_id 384, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 408, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 366, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 128, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 648, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 1394, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 2006402, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 2001219, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 124, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 122, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 2006380, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 3, sig_id 119, type limit, track by_src, count 1, seconds 3600 ----- Original Message ----- *From:* Russ Combs <rcombs () sourcefire com> *To:* Lawrence R. Hughes, Sr. <lhughes () safemedia com> *Cc:* Weir, Jason <jason.weir () nhrs org> ; snort-users () lists sourceforge net *Sent:* Wednesday, January 19, 2011 1:15 PM *Subject:* Re: [Snort-users] thresholding not working OK - can you be more specific about how it isn't working for you? On Wed, Jan 19, 2011 at 12:20 PM, Lawrence R. Hughes, Sr. < lhughes () safemedia com> wrote:Yes, we have the include statement in our snort.conf Thanks, Larry ----- Original Message ----- *From:* Weir, Jason <jason.weir () nhrs org> *To:* Lawrence R. Hughes, Sr. <lhughes () safemedia com> ; snort-users () lists sourceforge net *Sent:* Wednesday, January 19, 2011 12:10 PM *Subject:* RE: [Snort-users] thresholding not working do you have a line in your snort.conf like this # Event thresholding or suppression commands. See threshold.conf include threshold.conf have you tried to suppress them? What happens? -J -----Original Message----- *From:* Lawrence R. Hughes, Sr. [mailto:lhughes () safemedia com] *Sent:* Wednesday, January 19, 2011 11:55 AM *To:* snort-users () lists sourceforge net *Subject:* [Snort-users] thresholding not working Hi, We have tried everything to get thresholding (threshold.conf) working in 2.8.6.1? Here is our code within threshold.conf: event_filter gen_id 1, sig_id 384, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 408, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 366, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 128, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 648, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 1394, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 2006402, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 2001219, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 124, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 122, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 1, sig_id 2006380, type limit, track by_src, count 1, seconds 3600 event_filter gen_id 3, sig_id 119, type limit, track by_src, count 1, seconds 3600 What are we doing wrong or is thresholding broken? Thanks, Larry _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- thresholding not working Lawrence R. Hughes, Sr. (Jan 19)
- Re: thresholding not working Russ Combs (Jan 19)
- Re: thresholding not working Lawrence R. Hughes, Sr. (Jan 19)
- Re: thresholding not working Weir, Jason (Jan 19)
- Re: thresholding not working Lawrence R. Hughes, Sr. (Jan 19)
- Re: thresholding not working Russ Combs (Jan 19)
- Re: thresholding not working Lawrence R. Hughes, Sr. (Jan 19)
- Re: thresholding not working Russ Combs (Jan 19)
- Re: thresholding not working Lawrence R. Hughes, Sr. (Jan 19)
- Re: thresholding not working Lawrence R. Hughes, Sr. (Jan 19)
- Re: thresholding not working Russ Combs (Jan 19)