Snort mailing list archives
Flowbits and threshold
From: Dheeraj Gupta <dheeraj.gupta4 () gmail com>
Date: Wed, 14 Sep 2011 10:33:23 +0530
Hi, I was wondering how are flowbits interpreted in a rule that has threshold keywords. Suppose I have a rule that checks if my proxy has just denied a request to user- alert tcp any 8080 -> any any (msg:"Proxy Denies"; content:"ERR_CACHE_ACCESS_DENIED"; http_header; threshold:type threshold,track by_dst, count 60, seconds 60; flowbits:set,proxy.deny;flowbits: noalert; sid:1000010; rev:1;) Since I want to log the packet that shows what URL the user was trying to access, I write the following rule to log one packet only for a denied request exceeding threshold- alert tcp any 8080 -> any any (msg:"Proxy Access Denied";flowbits:isset,proxy.deny; content:"While trying to retrieve the URL:",nocase; flowbits:unset,proxy.deny; threshold: type threshold,track by_dst, count 60, seconds 60;sid:1000011; rev:1;) Is the flowbit set when the first packet with ERR_CACHE_ACCESS_DENIED is seen or when the threshold is passed? Also if I do not put the threshold limit in second rule and allow first rule to also generate alerts, I get about 60 alerts from second rule for each alert of first rule. Since I unset the flowbit after the second rule fires, shouldn't the second rule quieten down till the next time threshold is breached? I can't use tag because the background script (that processes these alerts expects only one packet per alert and also since docs say that tag doesn't work great with database output plugin. Regards, Dheeraj
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Flowbits and threshold Dheeraj Gupta (Sep 13)
- Re: Flowbits and threshold Jason Wallace (Sep 14)
- Message not available
- Re: Flowbits and threshold Dheeraj Gupta (Sep 14)
- Message not available
- Re: Flowbits and threshold Jason Wallace (Sep 14)