[Snort-sigs] Thresholding in 2.0.2?

Jacob Roberts jake_roberts at ...1807...
Mon Nov 3 11:10:10 EST 2003


I am having trouble with thresholding.  We see about 30-50 port 135
attempts every 5 seconds.  Most of these are generated by the Blaster
virus and its variants.  There are only about 300 source IP and I was
hoping that the thresholding would reduce our total number of alert but
adding thresholding to the rule I use below made no difference in the
number of alerts coming in.

alert tcp $HOME_NET any -> any 135 (msg: "BLASTER - 50 connection
attempts to port 135 in 3 minutes"; threshold: type threshold, track
by_src, count 1000, seconds 120;)

I also tried:
	type: both, count 50, seconds 180

And many other variation but none of them made a difference.

We're running snort on Windows 2000 server on a large University
Network.

Thanks
Jake




More information about the Snort-sigs mailing list