[Snort-users] thresholding

Nordwall, Douglas J Nordwall at ...10143...
Wed Sep 24 05:58:13 EDT 2003


Ok, folks, after rewriting my rules file, I got it working. I believe that
there was some extra garbage in the file, or there was a split line. Anyhow,
successful supression and thresholding.

-- 


> From: Doug Nordwall <doug at ...10143...>
> Date: Tue, 23 Sep 2003 06:46:49 -0700
> To: snort-users at lists.sourceforge.net
> Subject: Re: Re[2]: [Snort-users] thresholding
> 
> regardless of this, none of them work. Please go back and check the
> original email in this thread. I can't even get the most simple case of
> suppressing a particular rule to work. This thread seems to have
> mutated into "am i using the rule right" and missed the "can I use it
> at all" part :) I tried multiple options, with src and dst. Most
> importantly, though, suppress didn't work with no src _or_ dst. It's
> not a problem of me limiting or thresholding. It's not a problem in
> which way to go. It's a fundamental problem with it just flat out not
> working.
> 
> Fortunately, Chris is working on it :) Thanks again.
> 
> On Tuesday, September 23, 2003, at 12:43 AM, Jyri Hovila wrote:
> 
>> Hi!
>> 
>>>> I believe you need to add the thresholding arguments to the signature
>>>> definition itself.  Try something like:
>>>> 
>>>> alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"Welchia";
>>>> content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32;
>>>> reference:arachnids,154; sid:483; classtype:misc-activity; threshold:
>>>> type limit, track by_src, count 1, seconds 60 ; rev:3;)
>>>> 
>>>> This should limit you to one welchia alert per infected host per
>> 
>> In my opinion it's more useful to use track by_dst for now, until
>> Welchia traffic reduces to a sensible level. There are so many infected
>> hosts at this time that there's no point in trying to track by source.
>> I'm running Snort on 10 hosts and had to radically calm down the
>> Welchia
>> rule in order to prevent my central database from being clogged by
>> Welchia alerts. Here's the rule I use:
>> 
>> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL ICMP PING \
>> Welchia worm [LIMITED]"; content:"|aaaa aaaa aaaa aaaa aaaa aaaa aaaa \
>> aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa \
>> aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|";itype:8; \
>> dsize:64; classtype:trojan-activity; sid:1000000; threshold: \
>> type limit, track by_dst, count 1, seconds 900;)
>> 
>> - j.
>> 
>> 
>> 
>> -------------------------------------------------------
>> This sf.net email is sponsored by:ThinkGeek
>> Welcome to geek heaven.
>> http://thinkgeek.com/sf
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list