[Snort-devel] snort packet rate filter rules issue on linux kernel 4.4.74
alex.cheimarios at gmail.com
Wed Sep 6 16:35:52 EDT 2017
I have experienced an issue with rate filter rules on SLES12 kernel 4.4.74
with latest snort 126.96.36.199.
It seems that snort somehow aggregates the incoming packets in the rule
without taking into account the time interval , so it is blocking the
remote host when the packets reach the max count of the rate filter.
For example I have the following rule for ICMP packets:
rate_filter gen_id 1, sig_id 9000100, track by_src, count 20, seconds 1,
new_action drop, timeout 60
When I am doing a ping every 1 sec from the remote host (so the rate is 1
packet per sec), snort is blocking the ping at 20th incoming ICMP. It seems
that it does not take into account the time interval of of the rate filter.
Has anyone experienced a similar issue on kernel 4 ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel