[Snort-users] Reset Counters

Erek Adams erek at ...950...
Fri Jan 24 06:02:08 EST 2003

On Thu, 23 Jan 2003, Bob McDowell wrote:

> Bring on the penalty drinks, but I need help.

Why I don't know what you mean sir!  ;-)

> True or False: 'USER overflow' rules are triggered by the same IP passing
> too many 'USER' commands from the same IP within a specified amount of time.


> At first I thought this was how this worked.  Testing certainly seemed to
> prove it out to be so.  If this is the case, I need to allow more
> consecutive attempts before I sent a 'resp' packet.

You really can't do that.  Snort currently doesn't have a "this rule was
triggered X times, so now do this" type of feature.

> In researching the rule (specifically the FTP USER overflow rule) I can't
> find anything that relates to my observation.  From looking at the rule, it
> seems to examine the content of each packet - and not have anything to do
> with the number of tries.

Right.  It's looking at for 0a (hex) within 100 bytes of the USER
command in a FTP session.

> Thus, confusion ensues.

Confusion abounds _everywhere_!  Welcome to the club!

> Any help would be greatly appreciated.  Also anything written more clearly
> than the 'How to Write..' that might explain this would be great.  Maybe I'm
> just tired, but it is giving me a headache.

Nope, nothing more than that or the FAQ.  My suggestion is to print it,
and then flip thru the paper version.  That makes it easier to read for


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list