Re: Reset Counters

[Erek Adams <erek () snort org>]

On Thu, 23 Jan 2003, Bob McDowell wrote:

> Bring on the penalty drinks, but I need help.

Why I don't know what you mean sir!  ;-)

> True or False: 'USER overflow' rules are triggered by the same IP passing
> too many 'USER' commands from the same IP within a specified amount of time.

False.

> At first I thought this was how this worked.  Testing certainly seemed to
> prove it out to be so.  If this is the case, I need to allow more
> consecutive attempts before I sent a 'resp' packet.

You really can't do that.  Snort currently doesn't have a "this rule was
triggered X times, so now do this" type of feature.

> In researching the rule (specifically the FTP USER overflow rule) I can't
> find anything that relates to my observation.  From looking at the rule, it
> seems to examine the content of each packet - and not have anything to do
> with the number of tries.

Right.  It's looking at for 0a (hex) within 100 bytes of the USER
command in a FTP session.

> Thus, confusion ensues.

Confusion abounds _everywhere_!  Welcome to the club!

> Any help would be greatly appreciated.  Also anything written more clearly
> than the 'How to Write..' that might explain this would be great.  Maybe I'm
> just tired, but it is giving me a headache.

Nope, nothing more than that or the FAQ.  My suggestion is to print it,
and then flip thru the paper version.  That makes it easier to read for
me.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users