Snort mailing list archives
Re: threshold.conf limit not working for me
From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 26 Apr 2011 15:26:45 -0400
* event_filter replaces the deprecated threshold keyword. * gen_id 0, sig_id 0 does mean "all". Are you seeing this in the start up output? +-----------------------[event-filter-global]---------------------------------- | gen-id=global sig-id=global type=Limit tracking=dst count=1 seconds=60 On Tue, Apr 26, 2011 at 3:01 PM, Agus <agus.262 () gmail com> wrote:
Exactly Waldo. it means all. Will try threshold. but the examples and README recommend event_filter.. Will try and get back. Thanks guys 2011/4/26 Lay, James <james.lay () wincofoods com>:It's: threshold gen_id 0, sig_id 0 type limit, track by_dst, count 1, seconds 60 James -----Original Message----- From: waldo kitty [mailto:wkitty42 () windstream net] Sent: Tuesday, April 26, 2011 12:54 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] threshold.conf limit not working for me On 4/26/2011 13:21, Agus wrote:Hi guys, Im running snort 2903 and added this line to threshold.conf event_filter gen_id 0, sig_id 0, type limit, track by_dst, count 1, seconds 60hunh? does a gen_id and sig_id of 0 mean "all"?But when i start snort i see lots of this Apr 26 13:03:10 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious inbound to MSSQL port 1433 [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 10.10.x.131:58447 -> 10.10.x.21:1433 Apr 26 13:03:10 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious inboundto MSSQL port 1433 [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 10.10.x.100:53887 -> 10.10.x.21:1433 Apr 26 13:03:12 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious inboundto MSSQL port 1433 [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 10.10.x.131:58448 -> 10.10.x.21:1433 Apr 26 13:03:15 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious inboundto MSSQL port 1433 [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 10.10.x.114:64883 -> 10.10.x.21:1433 Apr 26 13:03:16 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious inboundto MSSQL port 1433 [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 10.10.x.131:58449 -> 10.10.x.21:1433 Is there something im missing?shouldn't the line be gen_id 1, sig_id 2010935 ??? ------------------------------------------------------------------------ ------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- threshold.conf limit not working for me Agus (Apr 26)
- Re: threshold.conf limit not working for me waldo kitty (Apr 26)
- Re: threshold.conf limit not working for me Lay, James (Apr 26)
- Re: threshold.conf limit not working for me Agus (Apr 26)
- Re: threshold.conf limit not working for me Agus (Apr 26)
- Re: threshold.conf limit not working for me Russ Combs (Apr 26)
- Re: threshold.conf limit not working for me waldo kitty (Apr 27)
- Re: threshold.conf limit not working for me Lay, James (Apr 26)
- Re: threshold.conf limit not working for me waldo kitty (Apr 26)