[Snort-users] threshold.conf limit not working for me

Agus agus.262 at ...11827...
Tue Apr 26 15:23:41 EDT 2011


No luck. Same thing with threshold command

Im using unified2 with barnyard2 to syslog and DB

When i stop snort i see the filter
gen-id=global sig-id=global type=Limit     tracking=dst count=1
seconds=60  filtered=272

but still got an alert per second for that one

alert tcp $EXTERNAL_NET any -> $HOME_NET 1433 (msg:"ET POLICY
Suspicious inbound to MSSQL port 1433"; flow:to_server; flags:S;
threshold: type limit, count 5, seconds 60, track by_src;
classtype:bad-unknown; reference:url,doc.emergingthreats.net/2010935;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_DB_Connections;
sid:2010935; rev:2;)

the threshold in the rule is probably overriding the global one? What
does the rule threshold do?

Thanks

2011/4/26 Agus <agus.262 at ...11827...>:
> Exactly Waldo. it means all.
>
> Will try threshold. but the examples and README recommend event_filter..
>
> Will try and get back. Thanks guys
>
> 2011/4/26 Lay, James <james.lay at ...15009...>:
>> It's:
>>
>> threshold gen_id 0, sig_id 0 type limit, track by_dst, count 1, seconds
>> 60
>>
>> James
>>
>> -----Original Message-----
>> From: waldo kitty [mailto:wkitty42 at ...14940...]
>> Sent: Tuesday, April 26, 2011 12:54 PM
>> To: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] threshold.conf limit not working for me
>>
>> On 4/26/2011 13:21, Agus wrote:
>>> Hi guys,
>>>
>>> Im running snort 2903 and added this line to threshold.conf
>>> event_filter gen_id 0, sig_id 0, type limit, track by_dst, count 1,
>>> seconds 60
>>
>> hunh? does a gen_id and sig_id of 0 mean "all"?
>>
>>> But when i start snort i see lots of this
>>>
>>> Apr 26 13:03:10 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious
>>> inbound to MSSQL port 1433  [Classification: Potentially Bad Traffic]
>>> [Priority: 2]: {TCP} 10.10.x.131:58447 ->  10.10.x.21:1433 Apr 26
>>> 13:03:10 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious inbound
>>
>>> to MSSQL port 1433  [Classification: Potentially Bad Traffic]
>>> [Priority: 2]: {TCP} 10.10.x.100:53887 ->  10.10.x.21:1433 Apr 26
>>> 13:03:12 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious inbound
>>
>>> to MSSQL port 1433  [Classification: Potentially Bad Traffic]
>>> [Priority: 2]: {TCP} 10.10.x.131:58448 ->  10.10.x.21:1433 Apr 26
>>> 13:03:15 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious inbound
>>
>>> to MSSQL port 1433  [Classification: Potentially Bad Traffic]
>>> [Priority: 2]: {TCP} 10.10.x.114:64883 ->  10.10.x.21:1433 Apr 26
>>> 13:03:16 snor snort[25857]: [1:2010935:2] ET POLICY Suspicious inbound
>>
>>> to MSSQL port 1433  [Classification: Potentially Bad Traffic]
>>> [Priority: 2]: {TCP} 10.10.x.131:58449 ->  10.10.x.21:1433
>>>
>>> Is there something im missing?
>>
>> shouldn't the line be gen_id 1, sig_id 2010935  ???
>>
>> ------------------------------------------------------------------------
>> ------
>> WhatsUp Gold - Download Free Network Management Software The most
>> intuitive, comprehensive, and cost-effective network management toolset
>> available today.  Delivers lowest initial acquisition cost and overall
>> TCO of any competing solution.
>> http://p.sf.net/sfu/whatsupgold-sd
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> ------------------------------------------------------------------------------
>> WhatsUp Gold - Download Free Network Management Software
>> The most intuitive, comprehensive, and cost-effective network
>> management toolset available today.  Delivers lowest initial
>> acquisition cost and overall TCO of any competing solution.
>> http://p.sf.net/sfu/whatsupgold-sd
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>




More information about the Snort-users mailing list