[Snort-users] thresholding

Doug Nordwall doug at ...10143...
Mon Sep 22 13:01:02 EDT 2003


I'm trying to suppress or threshold a particular rule with snort 2.0.2. 
I've read the README.thresholding over and am attempting the following

rule is sid:483 (the cyberkit..i'm trying to squelch welchia a bit)

I put in a line in snort.conf for rules in local-limits.rules

the file itself says:
suppress gen_id 1, sig_id 483

I've tried:
suppress gen_id 1, sig_id 483, track by_dst, ip x.x.x.x/x
threshold gen_id 1, sig_id 483, type threshold, track by_src, count 3, 
seconds 60
threshold gen_id 1, sig_id 483, type threshold, track by_dst, count 3, 
seconds 60

none of them seem to stem the flow at all (outputting in unified 
format, reading fast.alert from barnyard output)

I have not removed rule 483.

Anyone know what I might be doing wrong?

Doug Nordwall					doug at ...10143...
pgp fingerprint: 3CC7 B302 CB87 BCF3 F080  DF9D 43DF A123 D9D3 074E





More information about the Snort-users mailing list