global threshold does not work on certain file-identity rules

[Clement Chen <plutochen2010 () gmail com>]

Hi all,

It seems to me that global threshold does not work on certain FILE-IDENTITY
rules. For example, I have global threshold as following:

+-----------------------[event-filter-global]----------------------------------
| gen-id=global sig-id=global type=Both      tracking=src count=1
seconds=180


However, the alert "FILE-IDENTIFY download of executable content" (gid 1,
sid 11192) still shows up many times in a minute. I also found that other
FILE-IDENTITY rules have such issue.


The following is the rule:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-IDENTIFY download of executable content";
flow:to_client,established; content:"application/octet-stream";
fast_pattern; nocase; http_header;
pcre:"/^Content-Type\x3a[\x20\x09]+application\/octet-stream/smiH";
file_data; content:"MZ"; within:2; flowbits:set,file.exe; metadata:service
http, service imap, service pop3; reference:url,
www.microsoft.com/smallbusiness/resources/technology/security/practice_safe_computing_and_thwart_online_thugs.mspx;
classtype:policy-violation; sid:11192; rev:13;)


Anyone noticing the same problem? I am using Snort 2.9.

Thanks.

Clement

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!