[Snort-users] event_filter

Beatriz Duran beatrizdrn at ...131...
Tue Jun 8 09:51:09 EDT 2010


I need to set an event_filter rule that has to be activated when any ip sends a two packets per second:

        
Alert
tcp any any -> 192.168.1.64 any (msg “SYN flooding
attack”;flow:stateless;threshold:type threshold,track
by_src,count 2,seconds 1; sid: 1000040;)
but was not able to make it work, any clues?

 I    Have    Learned    So much from God    That I can no longer    Call    Myself A Christian, a Hindu, a Muslim    A Buddhist, a Jew.    The Truth has shared so much of Itself   With me  That I can no longer call myself     A man, a woman, and angel    Or even pure    Soul.   Love has    Befriended Hafiz so completely    It has turned to ash    And freed    Me    Of every concept and image    My mind has ever known. –Hafiz, Persian poet (1315 – 1390)


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100608/33f77ef1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: --sponsored..cny--tiger_footer.gif
Type: image/gif
Size: 27105 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100608/33f77ef1/attachment.gif>


More information about the Snort-users mailing list