[Snort-sigs] confused over thresholds

Jeff Kell jeff-kell at ...922...
Thu Aug 3 18:41:58 EDT 2006

Russell Fulton wrote:
> Hi Folk,
> 	I clearly don't understand this properly, sigh...
> I am getting lots (tens of thousands) of hits on the bleeding VNC rule:
> :alert tcp $EXTERNAL_NET any -> $HOME_NET 5900:5920 (msg: "BLEEDING-EDGE
> SCAN Potential VNC Scan 5900-5920"; flags:S; threshold: type threshold,
> track by_src, count 50, seconds 900; classtype:attempted-recon;
> sid:2002911; rev:1;)
> Astute people will notice that I have raised both the count and the
> seconds parameters to threshold in an attempt to cut down the number of
> alerts.
I think what you want is threshold: type both.  That will give one ONE
alert if you get 'count' hits in 'seconds', and no more until 'seconds'
are up.

Using type threshold, you get ONE alert for 'count' hits in 'seconds',
then everything is reset to scratch, and it starts looking for 'count'
hits in the next 'seconds' all over again.


More information about the Snort-sigs mailing list