[Snort-sigs] confused over thresholds

Russell Fulton r.fulton at ...575...
Thu Aug 3 18:29:23 EDT 2006


Hi Folk,
	I clearly don't understand this properly, sigh...
I am getting lots (tens of thousands) of hits on the bleeding VNC rule:

:alert tcp $EXTERNAL_NET any -> $HOME_NET 5900:5920 (msg: "BLEEDING-EDGE
SCAN Potential VNC Scan 5900-5920"; flags:S; threshold: type threshold,
track by_src, count 50, seconds 900; classtype:attempted-recon;
sid:2002911; rev:1;)

Astute people will notice that I have raised both the count and the
seconds parameters to threshold in an attempt to cut down the number of
alerts.

My understanding is that I should get just one alert every 900 seconds
per source but instead I get:

Timestamp		Signature		IP Src		IP Dst		
2006-08-03 12:24:18	BLEEDING-EDGE SCAN Potential V		218.21.72.202
130.216.140.37	6	48	
2006-08-03 12:24:19	BLEEDING-EDGE SCAN Potential V		218.21.72.202
130.216.140.125	6	48	
2006-08-03 12:24:20	BLEEDING-EDGE SCAN Potential V		218.21.72.202
130.216.140.178	6	48	
2006-08-03 12:24:20	BLEEDING-EDGE SCAN Potential V		218.21.72.202
130.216.140.32	6	48	
2006-08-03 12:24:21	BLEEDING-EDGE SCAN Potential V		218.21.72.202
130.216.140.239	6	48	
2006-08-03 12:24:21	BLEEDING-EDGE SCAN Potential V		218.21.72.202
130.216.140.106	6	48	
2006-08-03 12:24:22	BLEEDING-EDGE SCAN Potential V		218.21.72.202
130.216.140.137	6	48	
2006-08-03 12:24:22	BLEEDING-EDGE SCAN Potential V		218.21.72.202
130.216.141.82	6	48	
2006-08-03 12:24:23	BLEEDING-EDGE SCAN Potential V		218.21.72.202
130.216.141.124	6	48	
2006-08-03 12:24:24	BLEEDING-EDGE SCAN Potential V		218.21.72.202
130.216.140.237	6	48	

(apologies for the line wrap TB won't let me turn it on and off easily :( )

In this case the threshold does not seem to have any effect at all,
clearly I've screwed something up!

Any ideas what?

Russell




More information about the Snort-sigs mailing list