Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort rate filtering

From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 14 Nov 2012 12:02:58 -0500
On Tue, Nov 13, 2012 at 11:20 PM, amin Salehi <seyedamin_salehi () yahoo com>wrote:


hi.i have a rule in local.rules file:
"alert icmp 10.10.7.2 any -> 10.10.8.2 any (msg:"ping probe";sid:1000001;)"
i add in snort.conf following command:
rate_filter gen_id 1, sig_id 1000001, track by_src, count 5, seconds 10,
new_action drop, timeout 15
this mean that if this match occur 5 time in 10 second for 15 second drop
the packet.but when the match reach this threshold all packet will be
dropped not for 15 second.all packet after this threshold will be drop.what
is the problem?

rate_filter won't revert until the rate of events drops below the

configured threshold.




------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: