[Snort-sigs] Odd thresholding error
r.fulton at ...575...
Mon Jun 12 20:27:48 EDT 2006
Hi, I am generating some rules to look for traffic to known botnet
C&Cs. These rules are generated by a perl script and to get unique sids
which do not change as C&Cs appear and disappear I decided to use the
decimal form of the IP address as a sid.
All appears to work but I get this error when the rules are loaded into
FATAL ERROR: Rule-Threshold-Parse: could not create a threshold object
-- only one per sid, sid = 2147483647
There is no rule with sid = 2147483647 :(
Here is a typical rule:
alert tcp $HOME_NET any -> xxx.yyy177.226 6667 (msg: Botnet C&C
aaaa.bbbb.us; threshold: type limit,track by_src,count 1,seconds 216
00; tag: session,20,packets; classtype: botnet; sid: 2534564450; rev: 1;)
I.e. sids are 32 bit numbers.
Any ideas as to where to look for the problem?
Any bright ideas on other schemes to generate sids?
More information about the Snort-sigs