[Snort-devel] snort packet rate filter rules issue on linux kernel 4.4.74

alex cheimarios alex.cheimarios at gmail.com
Thu Oct 5 13:21:54 EDT 2017


Looks like it works on Ubuntu with kernel 4 though. So it could have been
something in the kernel config.

On Sep 6, 2017 23:35, "alex cheimarios" <alex.cheimarios at gmail.com> wrote:

> Hello all,
>
> I have experienced an issue with rate filter  rules on SLES12 kernel
> 4.4.74 with latest snort 2.9.9.0.
>
> It seems that snort somehow aggregates the incoming packets in the rule
> without taking into account the time interval , so it is blocking the
> remote host when the packets reach the max count of the  rate filter.
>
> For example I have the following rule for ICMP packets:
>
> rate_filter gen_id 1, sig_id 9000100, track by_src, count 20, seconds 1,
> new_action drop, timeout 60
>
> When I am doing a ping every 1 sec from the remote host (so the rate is 1
> packet per sec), snort is blocking the ping at 20th incoming ICMP. It seems
> that it does not take into account the time interval of of the rate filter.
>
> Has anyone experienced a similar issue on kernel 4 ?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20171005/fb5dbd11/attachment.html>


More information about the Snort-devel mailing list