[Snort-devel] Snort 2.7.0 thresholding-local none

Jeffrey Denton dentonj at ...2499...
Sun Jul 15 19:08:24 EDT 2007


The threshold option in the signatures do work in snort-2.7.0.

In /var/log/messages, ----[thresholding-local]---- displays "none".

/etc/snort/snort_test.conf:

var HOME_NET any
var EXTERNAL_NET any
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
output alert_syslog: LOG_AUTH LOG_ALERT
include /etc/snort/classification.config
include /etc/snort/reference.config
alert icmp any any -> any any (msg:"Test ping - dentonj payload - limit"; conten
t:"dentonj"; threshold: type limit, track by_src, count 1, seconds 30; sid:10000
001; rev:1;)
alert icmp any any -> any any (msg:"Test ping - DENTONJ payload - threshold"; co
ntent:"DENTONJ"; threshold: type threshold, track by_src, count 5, seconds 30; s
id:10000002; rev:1;)

# snort -c snort_test.conf -i eth0

The following command triggers two alerts, one with a source of
192.168.1.2 and the second with a source of 192.168.1.1:
 $ ping -c 5 -p 64656e746f6e6a 192.168.1.1

The following command does not trigger any alerts:
$  ping -c 2 -p 44454e544f4e4a 192.168.1.1

The following command triggers two alerts, one with a source of
192.168.1.2 and the second with a source of 192.168.1.1:
$  ping -c 5 -p 44454e544f4e4a 192.168.1.1

>From snort starting up:
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------




More information about the Snort-devel mailing list