Snort mailing list archives
Re: [sonrt-user]About rule options
From: Russ Combs <rcombs () sourcefire com>
Date: Thu, 26 Sep 2013 09:10:26 -0400
On Thu, Sep 26, 2013 at 6:52 AM, Mayur Patil <ram.nath241089 () gmail com>wrote:
Hello Joel Sir, I have looked for your solution but when I am generating rules by parsing through rule generator I am getting error. I want to use count, seconds to detect DoS Attack As the following example parses effectively alert tcp 10.1.1.4 any -> 10.1.1.1 any (msg:"RAM"; content:"TAGMYPACKETS"; classtype:attempted-dos; flow:to_server,established; sid:100001; rev:1; ) but if I add count,seconds it does not work. I also tried with *tag*option alert tcp 10.1.1.4 any -> 10.1.1.1 any (msg:"RAM"; content:"TAGMYPACKETS"; classtype:attempted-dos; flow:to_server,established; sid:100001; rev:1; count:50; seconds:1)
Those aren't valid rule options. If you want to use them in a rule to determine when the rule fires, use detection_filter. If you want to use them to change the rule action, use rate_filter. And if you want to use them to limit logging, use event_filter. Only detection_filter can be used in a rule. rate_filter and event_filter are applied after the rule fires and therefore are specified separately.
Please help me to solve this problem !! Seeking for guidance Thanks !! P.S.: I have also search through Snort Manual but did not get hint. * -- * *Cheers, * *Mayur*. ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- [sonrt-user]About rule options Mayur Patil (Sep 24)
- Re: [sonrt-user]About rule options Joel Esler (Sep 24)
- Re: [sonrt-user]About rule options Mayur Patil (Sep 26)
- Re: [sonrt-user]About rule options Russ Combs (Sep 26)
- Re: [sonrt-user]About rule options Mayur Patil (Sep 26)
- Re: [sonrt-user]About rule options Mayur Patil (Sep 26)
- Re: [sonrt-user]About rule options Joel Esler (Sep 24)