Snort mailing list archives

Help with rate_filter

From: Simon Blixt <blixten_496 () hotmail com>
Date: Wed, 9 May 2012 06:28:02 +0000

Still stuck with rate_filter. Please read the post under.

From: blixten_496 () hotmail com
To: akirk () sourcefire com; jesler () sourcefire com; snort-users () lists sourceforge net
Date: Mon, 7 May 2012 12:46:25 +0000
Subject: Re: [Snort-users] How to decide/find gen-id? [new question, rate_filter]

Hi,

Thanks for clearing it out for me! I have a new question. I've created a rule (just to learn about how to create rules 
in Snort) to drop packets from a possible DDoS-attack:
drop tcp any any -> 10.10.10.1 80 (msg:"testing"; flow:established,to_server; detection_filter:track by_src, count 100, 
seconds 5; sid:1000001;)

It works great, but after the attacker have done the attack, and failed, I still want to block him from accessing my 
site. Therefore I'm testing to make a rate_filter:
rate_filter gen_id 1, sig_id 1000001, track by_src, count 1, seconds 1, new_action drop, timeout 999999

It doesn't work. The attacker can still access the site, the timeout is not trigging(the whole rate_filter isn't 
triggering?). 
I'm not sure if I understand count and seconds correctly. I assume count is how many times the rule(sid 1000001) need 
to trigger in x seconds, before my rate_filter gets activated?
What have I missed?

Thank you in advance

Date: Mon, 7 May 2012 08:31:43 -0400
Subject: Re: [Snort-users] How to decide/find gen-id?
From: akirk () sourcefire com
To: blixten_496 () hotmail com
CC: snort-users () lists sourceforge net

The GID (generator ID) isn't something you should really be specifying manually. Text rules (as in *.rules within the 
standard rules directory) are all GID 1; shared object rules are GID 3; and preprocessor rules are assigned appropriate 
GIDs based upon the preprocessor creating them. 

On Mon, May 7, 2012 at 7:51 AM, Simon Blixt <blixten_496 () hotmail com> wrote:

Hi,
I'm setting up an rate_filter for my rule. But I'm stuck in choosing the gen-id.
Is it so simple that all *.rules have the gen-id 1? Or should I look in gen-msg.map for a gen-id to choose?
How do I know which to choose in gen-msg.map if that's the situation?

Thanks,
Blixten

------------------------------------------------------------------------------

Live Security Virtual Conference

Exclusive live event will cover all the ways today's security and

threat landscape has changed and how IT managers can respond. Discussions

will include endpoint security, mobile security and the latest in malware

threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-- 
Alex Kirk
AEGIS Program Lead

Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Attachment: ATT00001
Description:

Attachment: ATT00002
Description:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

How to decide/find gen-id? Simon Blixt (May 07)
- Re: How to decide/find gen-id? Joel Esler (May 07)
- Re: How to decide/find gen-id? Alex Kirk (May 07)
  - Re: How to decide/find gen-id? [new question, rate_filter] Simon Blixt (May 07)
    - Help with rate_filter Simon Blixt (May 08)