Snort mailing list archives
Re: snort packet rate filter rules issue on linux kernel 4.4.74
From: alex cheimarios via Snort-devel <snort-devel () lists snort org>
Date: Thu, 5 Oct 2017 20:21:54 +0300
Looks like it works on Ubuntu with kernel 4 though. So it could have been something in the kernel config. On Sep 6, 2017 23:35, "alex cheimarios" <alex.cheimarios () gmail com> wrote:
Hello all, I have experienced an issue with rate filter rules on SLES12 kernel 4.4.74 with latest snort 2.9.9.0. It seems that snort somehow aggregates the incoming packets in the rule without taking into account the time interval , so it is blocking the remote host when the packets reach the max count of the rate filter. For example I have the following rule for ICMP packets: rate_filter gen_id 1, sig_id 9000100, track by_src, count 20, seconds 1, new_action drop, timeout 60 When I am doing a ping every 1 sec from the remote host (so the rate is 1 packet per sec), snort is blocking the ping at 20th incoming ICMP. It seems that it does not take into account the time interval of of the rate filter. Has anyone experienced a similar issue on kernel 4 ?
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: snort packet rate filter rules issue on linux kernel 4.4.74 alex cheimarios via Snort-devel (Oct 05)