[Snort-users] [Q] thresholding: to throttle flood of alerts

Joel Esler eslerj at ...11827...
Thu Oct 16 10:20:20 EDT 2008


I think I remember someone saying not too long ago about you can't use  
ports with an "ip" rule?

J

On Oct 16, 2008, at 2:59 AM, Victor Klimov wrote:

> Hi Leon,
>
> Yeah, I know, it should work...
> But it doesn't:
>
> #Rule for alerting common TCP/UDP flood attack:
> alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message
> flooding directed to SIP proxy"; threshold: type limit, track by_src,
> count 1, seconds600; classtype:attempted-dos; sid:100000160; rev:2;)
>
> This rule above should limit the flooding alert: once in 10 min.
> However I continue to see a lot of 100000160 alerts, several per  
> minute.
> Hmm...
>
> Victor
>
> On Wed, Oct 15, 2008 at 9:24 PM, Leon Ward <seclists at ...14165...>  
> wrote:
>> Hi.
>>
>> You are looking for "limit", or rather "both" limit and threshold
>>
>> Take a look at README.thresholding in the /doc directory and the  
>> link below.
>>
>> http://snort.org/docs/snort_htmanuals/htmanual_280/node330.html#Event_Thresholding
>>
>> -Leon
>>
>>
>>
>> On 15 Oct 2008, at 19:50, Victor Klimov wrote:
>>
>>> Hi Jack,
>>>
>>> Actually I don't want do detect a flood. I already have some kind of
>>> flood,
>>> at least according to what I get from snort.
>>> I want to throttle the flood of 'flooding directed to SIP proxy'  
>>> messages.
>>>
>>> Even if changed the threshold values in the original rule,
>>> I do see several in let's say 3 min.
>>>
>>> That is what I want to throttle.
>>>
>>> Victor
>>>
>>> -------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>> challenge
>>> Build the coolest Linux based applications with Moblin SDK & win  
>>> great
>>> prizes
>>> Grand prize is a trip for two to an Open Source event anywhere in  
>>> the
>>> world
>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's  
> challenge
> Build the coolest Linux based applications with Moblin SDK & win  
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in  
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list