[Snort-users] [Q] thresholding: to throttle flood of alerts

Jack Pepper pepperjack at ...14319...
Thu Oct 16 11:51:16 EDT 2008


maybe try tracking by dest instead.

jp

Quoting Victor Klimov <vk77de at ...14012...>:

> Hi Markus,
>
> That's probably it.
> 99% of them come from different sources.
>
> It was not myself that wrote the rule.
> Got it with the oinkmaster.
>
> Thanks,
>
> Victor
>
> On Thu, Oct 16, 2008 at 2:41 PM, Markus Lude <markus.lude at ...348...> wrote:
>> On Thu, Oct 16, 2008 at 06:59:37AM +0000, Victor Klimov wrote:
>>> Hi Leon,
>>>
>>> Yeah, I know, it should work...
>>> But it doesn't:
>>>
>>> #Rule for alerting common TCP/UDP flood attack:
>>> alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message
>>> flooding directed to SIP proxy"; threshold: type limit, track by_src,
>>> count 1, seconds600; classtype:attempted-dos; sid:100000160; rev:2;)
>>>
>>> This rule above should limit the flooding alert: once in 10 min.
>>> However I continue to see a lot of 100000160 alerts, several per minute.
>>> Hmm...
>>
>> Do these alerts come from different sources or the same one? As I
>> understand thresholds, track by_src means a separate counter for each
>> source.
>>
>> Regards,
>> Markus
>>
>>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com





More information about the Snort-users mailing list