[Snort-devel] [Snort-users] Bug in

Joel Esler (jesler) jesler at ...3461...
Wed Aug 27 14:55:35 EDT 2014

Cc’ing Snort-devel

On Aug 27, 2014, at 2:24 PM, Starner, Mark <mark.starner at ...3510...<mailto:mark.starner at ...3510...>> wrote:

A rule (ET Rule 2012647) has the following threshold in the rule:  threshold: type limit, count 1, seconds 300, track by_src

Prior to upgrading to, this worked as expected, one alert every 5 minutes.
Since upgrading to on 8/15, now we are seeing the behavior where the rule will fire, wait 5 minutes, then fire again, and again and again.

But, it doesn’t start out this way. After a restart of Snort (STOP and START) it is fine, it alerts once every 5 minutes, for a while, and then at some point during the day, it will start reporting all alerts, until snort is STOPped and STARTed. Then it goes back to the proper behavior. (A Kill –HUP of the snort process does NOT reset  to the proper behavior, only a STOP/START temporarily fixes it).

Anyone else see this or have any suggestions?

Is this a Bug in

Mark Starner  | Global Infrastructure - Systems  |  Unisys IT

Unisys  |  443-921-0355


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

Slashdot TV.
Video for Nerds.  Stuff that matters.
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140827/e1e2551e/attachment.html>

More information about the Snort-devel mailing list