Snort mailing list archives
question about threshold
From: 강명훈 <mhkang589 () gmail com>
Date: Tue, 14 Jul 2015 20:19:33 +0900
Hi everyone. I have made rules below. alert udp any any -> 16x.12x.10x.2 53 (msg:"scan test"; threshold:type threshold, track by_src, count 1, seconds 2; classtype:TEST; sid:1999949;) alert udp any any -> 16x.12x.10x.2 53 (msg:"flood test"; threshold:type threshold, track by_dst, count 1, seconds 2; classtype:TEST; sid:1999950;) And i have tested by nslookup. It happened two packets(A, AAAA record) per one dns query. My expectation that happen two 'scan test' events. But it happened two 'scan test' events and two 'flood test' events. Why different rules matching the same packet? Is it normal? -- *kangmyounghun.blogspot.kr <http://kangmyounghun.blogspot.kr/>* *kr.linkedin.com/pub/myounghun-kang/74/238/93a* <http://kr.linkedin.com/pub/myounghun-kang/74/238/93a>
------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- question about threshold 강명훈 (Jul 14)