Snort mailing list archives
global threshold does not work on certain file-identity rules
From: Clement Chen <plutochen2010 () gmail com>
Date: Wed, 20 Feb 2013 13:30:50 -0800
Hi all, It seems to me that global threshold does not work on certain FILE-IDENTITY rules. For example, I have global threshold as following: +-----------------------[event-filter-global]---------------------------------- | gen-id=global sig-id=global type=Both tracking=src count=1 seconds=180 However, the alert "FILE-IDENTIFY download of executable content" (gid 1, sid 11192) still shows up many times in a minute. I also found that other FILE-IDENTITY rules have such issue. The following is the rule: alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY download of executable content"; flow:to_client,established; content:"application/octet-stream"; fast_pattern; nocase; http_header; pcre:"/^Content-Type\x3a[\x20\x09]+application\/octet-stream/smiH"; file_data; content:"MZ"; within:2; flowbits:set,file.exe; metadata:service http, service imap, service pop3; reference:url, www.microsoft.com/smallbusiness/resources/technology/security/practice_safe_computing_and_thwart_online_thugs.mspx; classtype:policy-violation; sid:11192; rev:13;) Anyone noticing the same problem? I am using Snort 2.9. Thanks. Clement
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- global threshold does not work on certain file-identity rules Clement Chen (Feb 20)