[Snort-users] Reset Counters

Erek Adams erek at ...950...
Fri Jan 24 06:02:08 EST 2003


On Thu, 23 Jan 2003, Bob McDowell wrote:

> Bring on the penalty drinks, but I need help.

Why I don't know what you mean sir!  ;-)

> True or False: 'USER overflow' rules are triggered by the same IP passing
> too many 'USER' commands from the same IP within a specified amount of time.

False.

> At first I thought this was how this worked.  Testing certainly seemed to
> prove it out to be so.  If this is the case, I need to allow more
> consecutive attempts before I sent a 'resp' packet.

You really can't do that.  Snort currently doesn't have a "this rule was
triggered X times, so now do this" type of feature.

> In researching the rule (specifically the FTP USER overflow rule) I can't
> find anything that relates to my observation.  From looking at the rule, it
> seems to examine the content of each packet - and not have anything to do
> with the number of tries.

Right.  It's looking at for 0a (hex) within 100 bytes of the USER
command in a FTP session.

> Thus, confusion ensues.

Confusion abounds _everywhere_!  Welcome to the club!

> Any help would be greatly appreciated.  Also anything written more clearly
> than the 'How to Write..' that might explain this would be great.  Maybe I'm
> just tired, but it is giving me a headache.

Nope, nothing more than that or the FAQ.  My suggestion is to print it,
and then flip thru the paper version.  That makes it easier to read for
me.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list