[Snort-users] test a threshold rule, please?

Rich Adamson radamson at ...2127...
Tue Jul 6 08:53:04 EDT 2004


Josh,

Tried that and the problem consistently occurs with the "first"
threshold parameter that has an integer value.

Can you try this rule either on linux or win32 for me please?
Pretty please with honey on it?

Rich

------------------------
> Maybe the order of the seconds, count options.  Try changing it to count
> 1, seconds 60;
> 
> -----Original Message-----
> 
> Could someone test the following rule in either linux or win32, please?
> 
> alert tcp $HOME_NET any -> any any (msg: "High SYN Traffic"; flags:S;
> threshold: type 
> threshold, track by_src, seconds 60, count 1; classtype:misc-activity;
> sid: 1000002; 
> rev:1;)
> 
> I'm trying to determine whether the above might indicate be a bug in 
> linux, win32, or syntax error on my part. If I try the above rule in
> win32 
> (v2.2.0rc1 build 28), snort will not start due to an integer error
> reading 
> the rule. Inserting  content:" "; offset:0; in the above allows snort to
> start.
> 
> Any help/suggestions would be greatly appreciated. Off-list comments are
> fine if you'd like.
> 
> Rich






More information about the Snort-users mailing list