[Snort-users] test a threshold rule, please?
radamson at ...2127...
Tue Jul 6 06:50:11 EDT 2004
Could someone test the following rule in either linux or win32, please?
alert tcp $HOME_NET any -> any any (msg: "High SYN Traffic"; flags:S; threshold: type
threshold, track by_src, seconds 60, count 1; classtype:misc-activity; sid: 1000002;
I'm trying to determine whether the above might indicate be a bug in
linux, win32, or syntax error on my part. If I try the above rule in win32
(v2.2.0rc1 build 28), snort will not start due to an integer error reading
the rule. Inserting content:" "; offset:0; in the above allows snort to
Any help/suggestions would be greatly appreciated. Off-list comments are
fine if you'd like.
More information about the Snort-users