[Snort-devel] Snort 2.7.0 thresholding-local none

Steven Sturges steve.sturges at ...402...
Mon Jul 16 09:57:09 EDT 2007


Hi Jeff--

There was a change in 2.7.0 to do 2 passes through snort.conf,
one for config and preprocessor configuration, the second for
rules.

However, the thresholding configuration output is still being
printed after the first pass, so no rule SIDs are showing up
there.

The thresholding itself is still working, its just not
displayed correctly at startup.

I've written a bug for this issue.

Cheers.
-steve

Jeffrey Denton wrote:
> The threshold option in the signatures do work in snort-2.7.0.
> 
> In /var/log/messages, ----[thresholding-local]---- displays "none".
> 
> /etc/snort/snort_test.conf:
> 
> var HOME_NET any
> var EXTERNAL_NET any
> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> preprocessor flow: stats_interval 0 hash 2
> preprocessor stream4: disable_evasion_alerts
> preprocessor stream4_reassemble
> output alert_syslog: LOG_AUTH LOG_ALERT
> include /etc/snort/classification.config
> include /etc/snort/reference.config
> alert icmp any any -> any any (msg:"Test ping - dentonj payload - limit"; conten
> t:"dentonj"; threshold: type limit, track by_src, count 1, seconds 30; sid:10000
> 001; rev:1;)
> alert icmp any any -> any any (msg:"Test ping - DENTONJ payload - threshold"; co
> ntent:"DENTONJ"; threshold: type threshold, track by_src, count 5, seconds 30; s
> id:10000002; rev:1;)
> 
> # snort -c snort_test.conf -i eth0
> 
> The following command triggers two alerts, one with a source of
> 192.168.1.2 and the second with a source of 192.168.1.1:
>  $ ping -c 5 -p 64656e746f6e6a 192.168.1.1
> 
> The following command does not trigger any alerts:
> $  ping -c 2 -p 44454e544f4e4a 192.168.1.1
> 
> The following command triggers two alerts, one with a source of
> 192.168.1.2 and the second with a source of 192.168.1.1:
> $  ping -c 5 -p 44454e544f4e4a 192.168.1.1
> 
>>From snort starting up:
> +-----------------------[thresholding-config]----------------------------------
> | memory-cap : 1048576 bytes
> +-----------------------[thresholding-global]----------------------------------
> | none
> +-----------------------[thresholding-local]-----------------------------------
> | none
> +-----------------------[suppression]------------------------------------------
> | none
> -------------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list