Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Need help about Snort - rate_filter

From: Jack Chuong <jack.chuong () itlvn com>
Date: Tue, 25 Nov 2014 07:40:17 +0000
Hi all,
I'm Snort newbie, I read manual and installed snort 2.9.7.0 with Centos 6.4 64 bit successfully, this is my test rule:

/etc/snort/rules/local.rules
alert icmp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ICMP test"; sid:10000001; rev:001;)

It works fine, this is Snort alert log when I ping from my windows client to Centos server

11/24-14:52:44.452832  [**] [1:10000001:1]  <eth1> ICMP test [**] [Priority: 0] {ICMP} 192.168.14.177 -> 192.168.30.111
11/24-14:52:45.453391  [**] [1:10000001:1]  <eth1> ICMP test [**] [Priority: 0] {ICMP} 192.168.14.177 -> 192.168.30.111
11/24-14:52:46.455391  [**] [1:10000001:1]  <eth1> ICMP test [**] [Priority: 0] {ICMP} 192.168.14.177 -> 192.168.30.111
11/24-14:52:47.457442  [**] [1:10000001:1]  <eth1> ICMP test [**] [Priority: 0] {ICMP} 192.168.14.177 -> 192.168.30.111

Now I want to apply rate_filter for my test rule to drop icmp packets if they exceed limit (over 10 packets/s for 
example)

/etc/snort/rules/local.rules
alert icmp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ICMP test"; sid:10000001; rev:001;)
rate_filter gen_id 1, sig_id 1000001, track by_src, count 1, seconds 10, new_action sdrop, timeout 30

But it's not work, icmp packets from my windows client are not dropped, my client can ping Centos Server regularly 
(ping -t). How can I make it work and check if it works correctly ?
Should I place rate_filter option in local.rules or in /etc/snort/snort.conf ? After searching I found a topic says 
that rate_filter should be placed at the end of Step #5: Configure preprocessors , before Step #6: Configure output 
plugins.

Thanks in advanced.
Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the 
individual or entity to whom they are addressed. If you have received this email in error please notify the system 
manager. This message contains confidential information and is intended only for the individual named. If you are not 
the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by 
e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of 
this information is strictly prohibited. Thank you!

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: