doug at ...10143...
Tue Sep 23 06:48:09 EDT 2003
regardless of this, none of them work. Please go back and check the
original email in this thread. I can't even get the most simple case of
suppressing a particular rule to work. This thread seems to have
mutated into "am i using the rule right" and missed the "can I use it
at all" part :) I tried multiple options, with src and dst. Most
importantly, though, suppress didn't work with no src _or_ dst. It's
not a problem of me limiting or thresholding. It's not a problem in
which way to go. It's a fundamental problem with it just flat out not
Fortunately, Chris is working on it :) Thanks again.
On Tuesday, September 23, 2003, at 12:43 AM, Jyri Hovila wrote:
>>> I believe you need to add the thresholding arguments to the signature
>>> definition itself. Try something like:
>>> alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"Welchia";
>>> reference:arachnids,154; sid:483; classtype:misc-activity; threshold:
>>> type limit, track by_src, count 1, seconds 60 ; rev:3;)
>>> This should limit you to one welchia alert per infected host per
> In my opinion it's more useful to use track by_dst for now, until
> Welchia traffic reduces to a sensible level. There are so many infected
> hosts at this time that there's no point in trying to track by source.
> I'm running Snort on 10 hosts and had to radically calm down the
> rule in order to prevent my central database from being clogged by
> Welchia alerts. Here's the rule I use:
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL ICMP PING \
> Welchia worm [LIMITED]"; content:"|aaaa aaaa aaaa aaaa aaaa aaaa aaaa \
> aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa \
> aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|";itype:8; \
> dsize:64; classtype:trojan-activity; sid:1000000; threshold: \
> type limit, track by_dst, count 1, seconds 900;)
> - j.
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users