[Snort-users] [Q] thresholding

Jack Pepper pepperjack at ...14319...
Wed Oct 15 14:11:03 EDT 2008


Quoting Victor Klimov <vk77de at ...14012...>:

> What could be changed in the following rule, so that thresholding would work?
>
> #Rule for alerting common TCP/UDP flood attack:
> alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message
> flooding directed to SIP proxy"; threshold: type both, track by_src,
> count 1, seconds 1600; classtype:attempted-dos; sid:100000160; rev:2;)

I assume you want to detect a flood, eh?  one hit in 1600 seconds is  
not much of a flood.  did you perhaps intend to detect 1600 hits in  
one minute?

" .. would work .. " is a little vague.  what exactly do you want it to do?

jp

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com





More information about the Snort-users mailing list