[Snort-sigs] confused over thresholds

Erik Fichtner emf at ...3056...
Thu Aug 3 18:45:42 EDT 2006


Russell Fulton wrote:
> Hi Folk,
> 	I clearly don't understand this properly, sigh...
> I am getting lots (tens of thousands) of hits on the bleeding VNC rule:
> 
> :alert tcp $EXTERNAL_NET any -> $HOME_NET 5900:5920 (msg: "BLEEDING-EDGE
> SCAN Potential VNC Scan 5900-5920"; flags:S; threshold: type threshold,
> track by_src, count 50, seconds 900; classtype:attempted-recon;
> sid:2002911; rev:1;)
> 
> Astute people will notice that I have raised both the count and the
> seconds parameters to threshold in an attempt to cut down the number of
> alerts.
> 
> My understanding is that I should get just one alert every 900 seconds
> per source but instead I get:


No.. You'll get one alert for every 50 hosts scanned by the source in
a window of 900 seconds.   (basically, whichever is greater.   47 hosts
scanned will emit one alert after 900 seconds. 100 hosts in 900 seconds
will emit two.)

If you only want one alert every 900 seconds, you might want to use a
"both" type threshold instead of a "threshold" type.   rtfm, section 3.8.5.2 of
the 2.6.0 manual has a nice example.

-- 
Erik Fichtner; Unix Ronin

"Tyranny, whether it arises under threat of foreign physical attack
or under constant domestic authoritative scrutiny, is still tyranny.
Liberty requires security without intrusion--security plus privacy."
	- Bruce Schneier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 253 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060803/be2dcdf6/attachment.sig>


More information about the Snort-sigs mailing list