Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort packet rate filter rules issue on linux kernel 4.4.74

From: alex cheimarios via Snort-devel <snort-devel () lists snort org>
Date: Wed, 6 Sep 2017 23:35:52 +0300
Hello all,

I have experienced an issue with rate filter  rules on SLES12 kernel 4.4.74
with latest snort 2.9.9.0.

It seems that snort somehow aggregates the incoming packets in the rule
without taking into account the time interval , so it is blocking the
remote host when the packets reach the max count of the  rate filter.

For example I have the following rule for ICMP packets:

rate_filter gen_id 1, sig_id 9000100, track by_src, count 20, seconds 1,
new_action drop, timeout 60

When I am doing a ping every 1 sec from the remote host (so the rate is 1
packet per sec), snort is blocking the ping at 20th incoming ICMP. It seems
that it does not take into account the time interval of of the rate filter.

Has anyone experienced a similar issue on kernel 4 ?

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: