[Snort-users] threshold.conf limit not working for me

waldo kitty wkitty42 at ...14940...
Tue Apr 26 14:53:36 EDT 2011


On 4/26/2011 13:21, Agus wrote:
> Hi guys,
>
> Im running snort 2903 and added this line to threshold.conf
> event_filter gen_id 0, sig_id 0, type limit, track by_dst, count 1, seconds 60

hunh? does a gen_id and sig_id of 0 mean "all"?

> But when i start snort i see lots of this
>
> Apr 26 13:03:10 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious
> inbound to MSSQL port 1433  [Classification: Potentially Bad Traffic]
> [Priority: 2]: {TCP} 10.10.x.131:58447 ->  10.10.x.21:1433
> Apr 26 13:03:10 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious
> inbound to MSSQL port 1433  [Classification: Potentially Bad Traffic]
> [Priority: 2]: {TCP} 10.10.x.100:53887 ->  10.10.x.21:1433
> Apr 26 13:03:12 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious
> inbound to MSSQL port 1433  [Classification: Potentially Bad Traffic]
> [Priority: 2]: {TCP} 10.10.x.131:58448 ->  10.10.x.21:1433
> Apr 26 13:03:15 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious
> inbound to MSSQL port 1433  [Classification: Potentially Bad Traffic]
> [Priority: 2]: {TCP} 10.10.x.114:64883 ->  10.10.x.21:1433
> Apr 26 13:03:16 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious
> inbound to MSSQL port 1433  [Classification: Potentially Bad Traffic]
> [Priority: 2]: {TCP} 10.10.x.131:58449 ->  10.10.x.21:1433
>
> Is there something im missing?

shouldn't the line be gen_id 1, sig_id 2010935  ???




More information about the Snort-users mailing list