[Snort-users] [Q] thresholding: to throttle flood of alerts

Jack Pepper pepperjack at ...14319...
Thu Oct 16 10:42:50 EDT 2008


It *does* seem illogical to specify a (tcp/udp) port number when the  
protocol is not tcp or udp.

jp

Quoting Joel Esler <eslerj at ...11827...>:

> I think I remember someone saying not too long ago about you can't use
> ports with an "ip" rule?
>
> J
>
> On Oct 16, 2008, at 2:59 AM, Victor Klimov wrote:
>
>> Hi Leon,
>>
>> Yeah, I know, it should work...
>> But it doesn't:
>>
>> #Rule for alerting common TCP/UDP flood attack:
>> alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message
>> flooding directed to SIP proxy"; threshold: type limit, track by_src,
>> count 1, seconds600; classtype:attempted-dos; sid:100000160; rev:2;)
>>
>> This rule above should limit the flooding alert: once in 10 min.
>> However I continue to see a lot of 100000160 alerts, several per
>> minute.
>> Hmm...
>>
>> Victor
>>
>> On Wed, Oct 15, 2008 at 9:24 PM, Leon Ward <seclists at ...14165...>
>> wrote:
>>> Hi.
>>>
>>> You are looking for "limit", or rather "both" limit and threshold
>>>
>>> Take a look at README.thresholding in the /doc directory and the
>>> link below.
>>>
>>> http://snort.org/docs/snort_htmanuals/htmanual_280/node330.html#Event_Thresholding
>>>
>>> -Leon
>>>
>>>
>>>
>>> On 15 Oct 2008, at 19:50, Victor Klimov wrote:
>>>
>>>> Hi Jack,
>>>>
>>>> Actually I don't want do detect a flood. I already have some kind of
>>>> flood,
>>>> at least according to what I get from snort.
>>>> I want to throttle the flood of 'flooding directed to SIP proxy'
>>>> messages.
>>>>
>>>> Even if changed the threshold values in the original rule,
>>>> I do see several in let's say 3 min.
>>>>
>>>> That is what I want to throttle.
>>>>
>>>> Victor
>>>>
>>>> -------------------------------------------------------------------------
>>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>>>> challenge
>>>> Build the coolest Linux based applications with Moblin SDK & win
>>>> great
>>>> prizes
>>>> Grand prize is a trip for two to an Open Source event anywhere in
>>>> the
>>>> world
>>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>
>>>
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's
>> challenge
>> Build the coolest Linux based applications with Moblin SDK & win
>> great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in
>> the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com





More information about the Snort-users mailing list