Snort mailing list archives
Need help about Snort - rate_filter
From: Jack Chuong <jack.chuong () itlvn com>
Date: Tue, 25 Nov 2014 07:40:17 +0000
Hi all, I'm Snort newbie, I read manual and installed snort 2.9.7.0 with Centos 6.4 64 bit successfully, this is my test rule: /etc/snort/rules/local.rules alert icmp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ICMP test"; sid:10000001; rev:001;) It works fine, this is Snort alert log when I ping from my windows client to Centos server 11/24-14:52:44.452832 [**] [1:10000001:1] <eth1> ICMP test [**] [Priority: 0] {ICMP} 192.168.14.177 -> 192.168.30.111 11/24-14:52:45.453391 [**] [1:10000001:1] <eth1> ICMP test [**] [Priority: 0] {ICMP} 192.168.14.177 -> 192.168.30.111 11/24-14:52:46.455391 [**] [1:10000001:1] <eth1> ICMP test [**] [Priority: 0] {ICMP} 192.168.14.177 -> 192.168.30.111 11/24-14:52:47.457442 [**] [1:10000001:1] <eth1> ICMP test [**] [Priority: 0] {ICMP} 192.168.14.177 -> 192.168.30.111 Now I want to apply rate_filter for my test rule to drop icmp packets if they exceed limit (over 10 packets/s for example) /etc/snort/rules/local.rules alert icmp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ICMP test"; sid:10000001; rev:001;) rate_filter gen_id 1, sig_id 1000001, track by_src, count 1, seconds 10, new_action sdrop, timeout 30 But it's not work, icmp packets from my windows client are not dropped, my client can ping Centos Server regularly (ping -t). How can I make it work and check if it works correctly ? Should I place rate_filter option in local.rules or in /etc/snort/snort.conf ? After searching I found a topic says that rate_filter should be placed at the end of Step #5: Configure preprocessors , before Step #6: Configure output plugins. Thanks in advanced. Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Thank you! ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Need help about Snort - rate_filter Jack Chuong (Nov 24)