AW: [Snort-users] Snort 2.0.4 and threshold

Povel, Michael Michael.Povel at ...10534...
Wed Nov 12 04:56:03 EST 2003


Thanks, you are right, I was including the same rulefile twice, sorry.
 
But for the config parameter, what were I doing wrong ?
 
cu
 
Michael
-----Ursprungliche Nachricht-----
Von: Marc Norton [mailto:marc.norton at ...1935...]
Gesendet: Dienstag, 11. November 2003 21:21
An: 'Povel, Michael'; snort-users at lists.sourceforge.net
Betreff: RE: [Snort-users] Snort 2.0.4 and threshold


What do the rule(s) and threshold commands look like that are in the .rules
file.  This message is complaining that you have 2 thesholds applied to the
specific rule.  
 
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Povel, Michael
Sent: Tuesday, November 11, 2003 10:35 AM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] Snort 2.0.4 and threshold
 
Hello all, 
I am just upgrading to snort 2.0.4 and I would like to use the new Nachi
Rule from Paul L Schmehl. 
But whenever I try to use and threshold stuff, my snort complains: 
THRESHOLD: gen_id=1, sig_id=10000008, type=2, tracking=0, count=1000,
seconds=60 
ERROR: Rule-Threshold-Parse: could not create a threshold object -- only one
per sid, sid = 10000008 
Fatal Error, Quitting.. 
So I thought that I might need to initalise the threshold system, and found
that a: 
config threshold: memcap 30000 
in the snort.conf breaks my snort even before the Rules are read ;-( 
So I looked at the sources and found that ProcessThresholdOptions is not
even used in parser.c or any other source file. I checked in the CVS, and on
the lastest version at least a call to this function is in parser.c. So I
tried to use this in parser.c and at least got snort to accecpt the config
statement, but still without any success for the rule.
Did anyone get the Rule: 
alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!";
content: "|aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
aaaa aaaa aaaa|"; dsize:64; itype: 8; icode: 0; threshold: type both, track
by_src, count 1000, seconds 60; classtype:trojan-activity; sid: 10000008;
rev: 4;)
to work with a vanilla 2.0.4 snort ? 
Many thanks for any help. 
Michael 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031112/8d0ffc7c/attachment.html>


More information about the Snort-users mailing list