Snort mailing list archives
Threshold rule syntax?
From: Rich Adamson <radamson () routers com>
Date: Wed, 30 Jun 2004 13:18:05 -0600
I'm trying the following threshold rule in local.rules on 2.2.0-RC1 (Win32): alert tcp $HOME_NET any -> any any (msg: "High SYN Traffic"; flags:S; threshold: type limit, track by_src, count 6, seconds 60; classtype:misc-activity; sid: 1000002; rev:1;) and receive: ERROR: *** threshold: count *** Invalid integer input: 6 Fatal Error, Quitting.. Anyone see anything wrong with the rule construction? What is very odd is that after commenting out the above rule, snort starts and runs fine and reflects five other threshold rules that are constructed in what appears to be the same way. What am I missing? Rich ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Thresholding problem: ERROR: *** threshold: gen_id / *** Invalid integer input: 0 Uso (Jun 30)
- Re: Thresholding problem: ERROR: *** threshold: gen_id / *** Invalid integer input: 0 Chris Reid (Jun 30)
- Re: Thresholding problem: ERROR: *** threshold: gen_id / *** Invalid integer input: 0 Rich Adamson (Jun 30)
- Re: Thresholding problem: ERROR: *** threshold: gen_id / *** Invalid integer input: 0 Rich Adamson (Jun 30)
- Threshold rule syntax? Rich Adamson (Jun 30)
- Threshold Bug - 2.2.0-RC1 Rich Adamson (Jun 30)
- Re: Thresholding problem: ERROR: *** threshold: gen_id / *** Invalid integer input: 0 Chris Reid (Jun 30)