[Snort-users] threshold.conf limit not working for me

Agus agus.262 at ...11827...
Tue Apr 26 15:01:13 EDT 2011


Exactly Waldo. it means all.

Will try threshold. but the examples and README recommend event_filter..

Will try and get back. Thanks guys

2011/4/26 Lay, James <james.lay at ...15009...>:
> It's:
>
> threshold gen_id 0, sig_id 0 type limit, track by_dst, count 1, seconds
> 60
>
> James
>
> -----Original Message-----
> From: waldo kitty [mailto:wkitty42 at ...14940...]
> Sent: Tuesday, April 26, 2011 12:54 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] threshold.conf limit not working for me
>
> On 4/26/2011 13:21, Agus wrote:
>> Hi guys,
>>
>> Im running snort 2903 and added this line to threshold.conf
>> event_filter gen_id 0, sig_id 0, type limit, track by_dst, count 1,
>> seconds 60
>
> hunh? does a gen_id and sig_id of 0 mean "all"?
>
>> But when i start snort i see lots of this
>>
>> Apr 26 13:03:10 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious
>> inbound to MSSQL port 1433  [Classification: Potentially Bad Traffic]
>> [Priority: 2]: {TCP} 10.10.x.131:58447 ->  10.10.x.21:1433 Apr 26
>> 13:03:10 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious inbound
>
>> to MSSQL port 1433  [Classification: Potentially Bad Traffic]
>> [Priority: 2]: {TCP} 10.10.x.100:53887 ->  10.10.x.21:1433 Apr 26
>> 13:03:12 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious inbound
>
>> to MSSQL port 1433  [Classification: Potentially Bad Traffic]
>> [Priority: 2]: {TCP} 10.10.x.131:58448 ->  10.10.x.21:1433 Apr 26
>> 13:03:15 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious inbound
>
>> to MSSQL port 1433  [Classification: Potentially Bad Traffic]
>> [Priority: 2]: {TCP} 10.10.x.114:64883 ->  10.10.x.21:1433 Apr 26
>> 13:03:16 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious inbound
>
>> to MSSQL port 1433  [Classification: Potentially Bad Traffic]
>> [Priority: 2]: {TCP} 10.10.x.131:58449 ->  10.10.x.21:1433
>>
>> Is there something im missing?
>
> shouldn't the line be gen_id 1, sig_id 2010935  ???
>
> ------------------------------------------------------------------------
> ------
> WhatsUp Gold - Download Free Network Management Software The most
> intuitive, comprehensive, and cost-effective network management toolset
> available today.  Delivers lowest initial acquisition cost and overall
> TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list