snort not alerting on same ip ssh attack after restart

[John Devine <john.devine () nuspire com>]

Hi all,

I am testing alerts on snort 2.9.2.2 on a box running debian by using a mock ssh attack to trigger one of snort's 
default rules. The rule is generated after 5 ssh attempts are made within 60 seconds. I am using snort as-is; I have 
created no custom rules. I can reproduce this about once a day but after a reboot of the box or restart of snort it 
will not generate an alert after using the same mock ssh attack even when I 'attack' it from a different IP. My guess 
is that there is some default local event filter for a specific rule that prevents the alert from generating again 
within a certain timeframe. I tried creating a global event filter (event_filter gen_id 0, sig_id 0, type both, track 
by_src, count -1, seconds 1) in the hope of circumventing all time limits and thresholds that could be preventing snort 
from alerting. Is there a way to disable any default filters that are preventing snort from generating multiples of the 
same alerts? If that is even the problem. Essentially, I want snort to be able to generate the same alert every time it 
happens which is currently does not.

Thanks.

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!