[Snort-sigs] Thresholding in 2.0.2?
jake_roberts at ...1807...
Mon Nov 3 11:10:10 EST 2003
I am having trouble with thresholding. We see about 30-50 port 135
attempts every 5 seconds. Most of these are generated by the Blaster
virus and its variants. There are only about 300 source IP and I was
hoping that the thresholding would reduce our total number of alert but
adding thresholding to the rule I use below made no difference in the
number of alerts coming in.
alert tcp $HOME_NET any -> any 135 (msg: "BLASTER - 50 connection
attempts to port 135 in 3 minutes"; threshold: type threshold, track
by_src, count 1000, seconds 120;)
I also tried:
type: both, count 50, seconds 180
And many other variation but none of them made a difference.
We're running snort on Windows 2000 server on a large University
More information about the Snort-sigs