Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bug in 2.9.6.2???

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 27 Aug 2014 18:55:35 +0000
Cc’ing Snort-devel


On Aug 27, 2014, at 2:24 PM, Starner, Mark <mark.starner () unisys com<mailto:mark.starner () unisys com>> wrote:

A rule (ET Rule 2012647) has the following threshold in the rule:  threshold: type limit, count 1, seconds 300, track 
by_src

Prior to upgrading to 2.9.6.2, this worked as expected, one alert every 5 minutes.
Since upgrading to 2.9.6.2 on 8/15, now we are seeing the behavior where the rule will fire, wait 5 minutes, then fire 
again, and again and again.

But, it doesn’t start out this way. After a restart of Snort (STOP and START) it is fine, it alerts once every 5 
minutes, for a while, and then at some point during the day, it will start reporting all alerts, until snort is STOPped 
and STARTed. Then it goes back to the proper behavior. (A Kill –HUP of the snort process does NOT reset  to the proper 
behavior, only a STOP/START temporarily fixes it).

Anyone else see this or have any suggestions?

Is this a Bug in 2.9.6.2???



Mark Starner  | Global Infrastructure - Systems  |  Unisys IT

Unisys  |  443-921-0355


[X]


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the 
intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments 
from all computers.



------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: