Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort rule does not alarm

From: Aleksandrs Polinkins <a.polinkins () gmail com>
Date: Mon, 30 Jan 2017 12:24:03 +0100
Dear all,

I have the following rule 

alert tcp any any <> any any (Msg:"Flooding attack!"; detection_filter:track by_dst, count 50, seconds 10;sid:1000036)

The rule works perfectly if no other rules are used, but if there are other rules it has no effect even if packet count 
is much more that 50 in 10 seconds. The problem should not be the choice between generic rule and not, as no other 
alarms are triggered when this rule alarm is expected. Is this a Snort's bug or I don't understand something?

Thanks in advance!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: