[Snort-users] thresholding

Doug Nordwall doug at ...10143...
Tue Sep 23 06:48:09 EDT 2003


regardless of this, none of them work. Please go back and check the 
original email in this thread. I can't even get the most simple case of 
suppressing a particular rule to work. This thread seems to have 
mutated into "am i using the rule right" and missed the "can I use it 
at all" part :) I tried multiple options, with src and dst. Most 
importantly, though, suppress didn't work with no src _or_ dst. It's 
not a problem of me limiting or thresholding. It's not a problem in 
which way to go. It's a fundamental problem with it just flat out not 
working.

Fortunately, Chris is working on it :) Thanks again.

On Tuesday, September 23, 2003, at 12:43 AM, Jyri Hovila wrote:

> Hi!
>
>>> I believe you need to add the thresholding arguments to the signature
>>> definition itself.  Try something like:
>>>
>>> alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"Welchia";
>>> content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32;
>>> reference:arachnids,154; sid:483; classtype:misc-activity; threshold:
>>> type limit, track by_src, count 1, seconds 60 ; rev:3;)
>>>
>>> This should limit you to one welchia alert per infected host per
>
> In my opinion it's more useful to use track by_dst for now, until
> Welchia traffic reduces to a sensible level. There are so many infected
> hosts at this time that there's no point in trying to track by source.
> I'm running Snort on 10 hosts and had to radically calm down the 
> Welchia
> rule in order to prevent my central database from being clogged by
> Welchia alerts. Here's the rule I use:
>
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL ICMP PING \
> Welchia worm [LIMITED]"; content:"|aaaa aaaa aaaa aaaa aaaa aaaa aaaa \
> aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa \
> aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|";itype:8; \
> dsize:64; classtype:trojan-activity; sid:1000000; threshold: \
> type limit, track by_dst, count 1, seconds 900;)
>
> - j.
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list