[Snort-users] thresholding

Robert Vance Jr rev at ...10091...
Mon Sep 22 15:08:15 EDT 2003

I believe you need to add the thresholding arguments to the signature
definition itself.  Try something like:

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"Welchia"; content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32; reference:arachnids,154; sid:483; classtype:misc-activity; threshold: type limit, track by_src, count 1, seconds 60 ; rev:3;)

This should limit you to one welchia alert per infected host per minute.

Also be wary of false positives using this specific sig as it would appear that the yahoo messenger sends a keep alive ping that matches that specific signature as well.


On Mon, 2003-09-22 at 14:59, Doug Nordwall wrote:
> I'm trying to suppress or threshold a particular rule with snort 2.0.2. 
> I've read the README.thresholding over and am attempting the following
> suppress gen_id 1, sig_id 483, track by_dst, ip x.x.x.x/x
> threshold gen_id 1, sig_id 483, type threshold, track by_src, count 3, 
> seconds 60
> threshold gen_id 1, sig_id 483, type threshold, track by_dst, count 3, 
> seconds 60
> none of them seem to stem the flow at all (outputting in unified 
> format, reading fast.alert from barnyard output)
> I have not removed rule 483.
> Anyone know what I might be doing wrong?

More information about the Snort-users mailing list