Snort mailing list archives
Re: thresholding
From: Doug Nordwall <doug () pnl gov>
Date: Mon, 22 Sep 2003 21:43:37 -0700
tried this as well. not working for me Chris is looking at it, so perhaps some light will be shed On Monday, September 22, 2003, at 03:09 PM, Robert Vance Jr wrote:
I believe you need to add the thresholding arguments to the signature definition itself. Try something like:alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"Welchia"; content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32; reference:arachnids,154; sid:483; classtype:misc-activity; threshold: type limit, track by_src, count 1, seconds 60 ; rev:3;)This should limit you to one welchia alert per infected host per minute.Also be wary of false positives using this specific sig as it would appear that the yahoo messenger sends a keep alive ping that matches that specific signature as well.rev On Mon, 2003-09-22 at 14:59, Doug Nordwall wrote:I'm trying to suppress or threshold a particular rule with snort 2.0.2.I've read the README.thresholding over and am attempting the following suppress gen_id 1, sig_id 483, track by_dst, ip x.x.x.x/x threshold gen_id 1, sig_id 483, type threshold, track by_src, count 3, seconds 60 threshold gen_id 1, sig_id 483, type threshold, track by_dst, count 3, seconds 60 none of them seem to stem the flow at all (outputting in unified format, reading fast.alert from barnyard output) I have not removed rule 483. Anyone know what I might be doing wrong?------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- thresholding Doug Nordwall (Sep 22)
- Re: thresholding Chris Green (Sep 22)
- Re: thresholding Doug Nordwall (Sep 22)
- Re: thresholding Robert Vance Jr (Sep 22)
- Re: thresholding Doug Nordwall (Sep 22)
- Re[2]: thresholding Jyri Hovila (Sep 23)
- Re: Re[2]: thresholding Doug Nordwall (Sep 23)
- Re: Re[2]: thresholding Nordwall, Douglas J (Sep 24)
- Re: thresholding Doug Nordwall (Sep 22)
- Re: thresholding Chris Green (Sep 22)