Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Specific rule for bandwidth

From: Gabriel Corre <gabriel.corre () fr clara net>
Date: Tue, 15 Sep 2015 07:24:11 +0000
Hello,

I would like to use "stream_size" as a bandwidth controller. Thus I created this rule to test its functionality:
alert tcp EXTERNAL_NET any -> HOME_NET any (msg:"WARNING! Session bandwidth > 8 bytes"; stream_size:both,>,8"; 
sid:1000000001;)
I would like to know if "stream_size" is reset when the alert is triggered or it still count the number of bytes 
observed?

The doc says : "The stream size keyword allows a rule to match traffic according to the number of bytes observed, as 
determined by
the TCP sequence numbers." It doesn't pinpoint this aspect and I'm not about my bandwidth test.

Regards,

--

Gabriel Corré
Élève Ingénieur Sécurité & Réseaux, Ops - Core Infrastructure


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: