Snort mailing list archives
Snort rule does not alarm
From: Aleksandrs Polinkins <a.polinkins () gmail com>
Date: Mon, 30 Jan 2017 12:24:03 +0100
Dear all, I have the following rule alert tcp any any <> any any (Msg:"Flooding attack!"; detection_filter:track by_dst, count 50, seconds 10;sid:1000036) The rule works perfectly if no other rules are used, but if there are other rules it has no effect even if packet count is much more that 50 in 10 seconds. The problem should not be the choice between generic rule and not, as no other alarms are triggered when this rule alarm is expected. Is this a Snort's bug or I don't understand something? Thanks in advance! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort rule does not alarm Aleksandrs Polinkins (Jan 30)