[Snort-sigs] Odd thresholding error

Russell Fulton r.fulton at ...575...
Mon Jun 12 20:27:48 EDT 2006


Hi,  I am generating some rules to look for traffic to known botnet
C&Cs.  These rules are generated by a perl script and to get unique sids
which do not change as C&Cs appear and disappear I decided to use the
decimal form of the IP address as a sid.

All appears to work but I get this error when the rules are loaded into
sort:

 FATAL ERROR: Rule-Threshold-Parse: could not create a threshold object
-- only one per sid, sid = 2147483647

There is no rule with sid = 2147483647 :(

Here is a typical rule:

alert tcp $HOME_NET any -> xxx.yyy177.226 6667 (msg: Botnet C&C
aaaa.bbbb.us; threshold: type limit,track by_src,count 1,seconds 216
00; tag: session,20,packets; classtype: botnet; sid: 2534564450; rev: 1;)

I.e. sids are 32 bit numbers.

Any ideas as to where to look for the problem?

Any bright ideas on other schemes to generate sids?

Russell




More information about the Snort-sigs mailing list