[Snort-devel] snort packet rate filter rules issue on linux kernel 4.4.74

alex cheimarios alex.cheimarios at gmail.com
Wed Sep 6 16:35:52 EDT 2017


Hello all,

I have experienced an issue with rate filter  rules on SLES12 kernel 4.4.74
with latest snort 2.9.9.0.

It seems that snort somehow aggregates the incoming packets in the rule
without taking into account the time interval , so it is blocking the
remote host when the packets reach the max count of the  rate filter.

For example I have the following rule for ICMP packets:

rate_filter gen_id 1, sig_id 9000100, track by_src, count 20, seconds 1,
new_action drop, timeout 60

When I am doing a ping every 1 sec from the remote host (so the rate is 1
packet per sec), snort is blocking the ping at 20th incoming ICMP. It seems
that it does not take into account the time interval of of the rate filter.

Has anyone experienced a similar issue on kernel 4 ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20170906/63f97d2c/attachment.html>


More information about the Snort-devel mailing list