[Snort-users] threshold.conf limit not working for me

Agus agus.262 at ...11827...
Tue Apr 26 13:21:26 EDT 2011


Hi guys,

Im running snort 2903 and added this line to threshold.conf
event_filter gen_id 0, sig_id 0, type limit, track by_dst, count 1, seconds 60

But when i start snort i see lots of this

Apr 26 13:03:10 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious
inbound to MSSQL port 1433  [Classification: Potentially Bad Traffic]
[Priority: 2]: {TCP} 10.10.x.131:58447 -> 10.10.x.21:1433
Apr 26 13:03:10 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious
inbound to MSSQL port 1433  [Classification: Potentially Bad Traffic]
[Priority: 2]: {TCP} 10.10.x.100:53887 -> 10.10.x.21:1433
Apr 26 13:03:12 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious
inbound to MSSQL port 1433  [Classification: Potentially Bad Traffic]
[Priority: 2]: {TCP} 10.10.x.131:58448 -> 10.10.x.21:1433
Apr 26 13:03:15 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious
inbound to MSSQL port 1433  [Classification: Potentially Bad Traffic]
[Priority: 2]: {TCP} 10.10.x.114:64883 -> 10.10.x.21:1433
Apr 26 13:03:16 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious
inbound to MSSQL port 1433  [Classification: Potentially Bad Traffic]
[Priority: 2]: {TCP} 10.10.x.131:58449 -> 10.10.x.21:1433

Is there something im missing?

Thankss,
Brahama




More information about the Snort-users mailing list