Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pass rule vs. threshold/suppression

From: Jon Hart <jhart () spoofed org>
Date: Tue, 25 Jul 2006 09:37:47 -0700
On Tue, Jul 25, 2006 at 12:27:04PM -0400, Joel Esler wrote:

Have you tested to see if this works?  


I tried this a week or so ago with 2.4.5.  I was told it would work, but
my initial testing showed that it did not work -- I'd still get alerts
for that specific combination of sid, src and dest.  I only spent a few
minutes on this, but I recall seeing the threshold table being printed
when snort starts and it only include.

I just retested this and if a suppress rule has a by_src and by_dst, the
one that appears last on the config line takes precedence:

threshold.conf:
   suppress gen_id 1, sig_id 2925, track by_src, ip 1.2.3.4/32, track
   by_dst, ip 5.6.7.8/32

/var/log/messages:
   Jul 25 09:35:26 ids-box snort[6939]: | gen-id=1      sig-id=2925
   tracking=dstip=5.6.7.8           mask=255.255.255.255


-jon

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: