[Snort-sigs] about threshold

강명훈 mhkang589 at ...2420...
Tue Jul 14 10:38:54 EDT 2015


Hi everyone.
I have made rules below.

alert udp any any -> 16x.12x.10x.2 53 (msg:"scan test"; threshold:type
threshold, track by_src, count 1, seconds 2; classtype:TEST; sid:1999949;)
alert udp any any -> 16x.12x.10x.2 53 (msg:"flood test"; threshold:type
threshold, track by_dst, count 1, seconds 2; classtype:TEST; sid:1999950;)


And i have tested by nslookup.
It happened two packets(A, AAAA record) per one dns query.

My expectation that happen two 'scan test' events.
But it happened two 'scan test' events and two 'flood test' events.

Why different rules matching the same packet?
Is it normal?

-- 

*kangmyounghun.blogspot.kr <http://kangmyounghun.blogspot.kr/>*
*kr.linkedin.com/pub/myounghun-kang/74/238/93a*
<http://kr.linkedin.com/pub/myounghun-kang/74/238/93a>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150714/80d2163c/attachment.html>


More information about the Snort-sigs mailing list