doug at ...10143...
Mon Sep 22 21:45:04 EDT 2003
tried this as well. not working for me
Chris is looking at it, so perhaps some light will be shed
On Monday, September 22, 2003, at 03:09 PM, Robert Vance Jr wrote:
> I believe you need to add the thresholding arguments to the signature
> definition itself. Try something like:
> alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"Welchia";
> reference:arachnids,154; sid:483; classtype:misc-activity; threshold:
> type limit, track by_src, count 1, seconds 60 ; rev:3;)
> This should limit you to one welchia alert per infected host per
> Also be wary of false positives using this specific sig as it would
> appear that the yahoo messenger sends a keep alive ping that matches
> that specific signature as well.
> On Mon, 2003-09-22 at 14:59, Doug Nordwall wrote:
>> I'm trying to suppress or threshold a particular rule with snort
>> I've read the README.thresholding over and am attempting the following
>> suppress gen_id 1, sig_id 483, track by_dst, ip x.x.x.x/x
>> threshold gen_id 1, sig_id 483, type threshold, track by_src, count 3,
>> seconds 60
>> threshold gen_id 1, sig_id 483, type threshold, track by_dst, count 3,
>> seconds 60
>> none of them seem to stem the flow at all (outputting in unified
>> format, reading fast.alert from barnyard output)
>> I have not removed rule 483.
>> Anyone know what I might be doing wrong?
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users