Snort mailing list archives
Re: [Q] thresholding: to throttle flood of alerts
From: "Matt Olney" <molney () sourcefire com>
Date: Thu, 16 Oct 2008 11:23:05 -0400
While odd, a quick test using ip instead of tcp in a test rules seems to work. I'm not certain how the decoder would handle this, or what the internals of Snort might do or not do based on this information. The VRT would almost certainly choose to write this rule as two rules, and, taking a quick look at our rule set, all IP rules are any any, portswise. While this works now, one of the concerns would be functionality going forward or back in Snort versions, and how various preprocessors would deal with the traffic. I'd strongly recommend making this two rules. Matt On Thu, Oct 16, 2008 at 10:42 AM, Jack Pepper < pepperjack () afferentsecurity com> wrote:
It *does* seem illogical to specify a (tcp/udp) port number when the protocol is not tcp or udp. jp Quoting Joel Esler <eslerj () gmail com>:I think I remember someone saying not too long ago about you can't use ports with an "ip" rule? J On Oct 16, 2008, at 2:59 AM, Victor Klimov wrote:Hi Leon, Yeah, I know, it should work... But it doesn't: #Rule for alerting common TCP/UDP flood attack: alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message flooding directed to SIP proxy"; threshold: type limit, track by_src, count 1, seconds600; classtype:attempted-dos; sid:100000160; rev:2;) This rule above should limit the flooding alert: once in 10 min. However I continue to see a lot of 100000160 alerts, several per minute. Hmm... Victor On Wed, Oct 15, 2008 at 9:24 PM, Leon Ward <seclists () rm-rf co uk> wrote:Hi. You are looking for "limit", or rather "both" limit and threshold Take a look at README.thresholding in the /doc directory and the link below.http://snort.org/docs/snort_htmanuals/htmanual_280/node330.html#Event_Thresholding-Leon On 15 Oct 2008, at 19:50, Victor Klimov wrote:Hi Jack, Actually I don't want do detect a flood. I already have some kind of flood, at least according to what I get from snort. I want to throttle the flood of 'flooding directed to SIP proxy' messages. Even if changed the threshold values in the original rule, I do see several in let's say 3 min. That is what I want to throttle. Victor-------------------------------------------------------------------------This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-------------------------------------------------------------------------This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer'schallengeBuild the coolest Linux based applications with Moblin SDK & win greatprizesGrand prize is a trip for two to an Open Source event anywhere in theworldhttp://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [Q] thresholding: to throttle flood of alerts Victor Klimov (Oct 15)
- Re: [Q] thresholding: to throttle flood of alerts Leon Ward (Oct 15)
- Re: [Q] thresholding: to throttle flood of alerts Victor Klimov (Oct 15)
- Re: [Q] thresholding: to throttle flood of alerts Joel Esler (Oct 16)
- Re: [Q] thresholding: to throttle flood of alerts Jack Pepper (Oct 16)
- Re: [Q] thresholding: to throttle flood of alerts Matt Olney (Oct 16)
- Re: [Q] thresholding: to throttle flood of alerts Victor Klimov (Oct 15)
- Re: [Q] thresholding: to throttle flood of alerts Markus Lude (Oct 16)
- Re: [Q] thresholding: to throttle flood of alerts Victor Klimov (Oct 16)
- Re: [Q] thresholding: to throttle flood of alerts Jack Pepper (Oct 16)
- Re: [Q] thresholding: to throttle flood of alerts Bob Konigsberg (Oct 16)
- Re: [Q] thresholding: to throttle flood of alerts Leon Ward (Oct 15)