[Snort-users] thresholding

Doug Nordwall doug at ...10143...
Mon Sep 22 21:45:04 EDT 2003


tried this as well. not working for me

Chris is looking at it, so perhaps some light will be shed

On Monday, September 22, 2003, at 03:09 PM, Robert Vance Jr wrote:

> I believe you need to add the thresholding arguments to the signature
> definition itself.  Try something like:
>
> alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"Welchia"; 
> content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32; 
> reference:arachnids,154; sid:483; classtype:misc-activity; threshold: 
> type limit, track by_src, count 1, seconds 60 ; rev:3;)
>
> This should limit you to one welchia alert per infected host per 
> minute.
>
> Also be wary of false positives using this specific sig as it would 
> appear that the yahoo messenger sends a keep alive ping that matches 
> that specific signature as well.
>
> rev
>
> On Mon, 2003-09-22 at 14:59, Doug Nordwall wrote:
>> I'm trying to suppress or threshold a particular rule with snort 
>> 2.0.2.
>> I've read the README.thresholding over and am attempting the following
>>
>> suppress gen_id 1, sig_id 483, track by_dst, ip x.x.x.x/x
>> threshold gen_id 1, sig_id 483, type threshold, track by_src, count 3,
>> seconds 60
>> threshold gen_id 1, sig_id 483, type threshold, track by_dst, count 3,
>> seconds 60
>>
>> none of them seem to stem the flow at all (outputting in unified
>> format, reading fast.alert from barnyard output)
>>
>> I have not removed rule 483.
>>
>> Anyone know what I might be doing wrong?
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list