Threshold settings

[Jeff Kell <jeff-kell () utc edu>]

The "current" rules for 2.1.0 have, among other things, signatures 2273 
and 2274 warning of "brute force login attempts" at IMAP and POP3.  The 
rules contain the threshold directives:

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login brute 
force attempt"; flow:to_server,established; content:"LOGIN"; nocase; 
threshold:type threshold, track by_dst, count 5, seconds 60; 
classtype:suspicious-login; sid:2273; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 login brute 
force attempt"; flow:to_server,established; content:"USER"; nocase; 
threshold:type threshold, track by_dst, count 5, seconds 60; 
classtype:suspicious-login; sid:2274; rev:1;)

Two questions (posed to the snort-sigs list, but not strictly 
sig-related additions here):

(1) Do you have to make entries in threshold.conf for these SIDs?  In 
the supplied threshold.conf there are no active directives, only 
comments.  In other words, doesn't defining the thresholds within the 
SID going to set the threshold settings, or do you have to duplicate 
them in threshold.conf as well?

(2) Both rules are tracking by_dst.  Our central POP/IMAP servers are 
logging lots of these sigs (lots of people logging in or periodically 
checking for new mail).  Shouldn't they be tracking by_src instead?

Jeff



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users