[Snort-users] How to decide/find gen-id? [new question, rate_filter]

Simon Blixt blixten_496 at ...125...
Mon May 7 08:46:25 EDT 2012


Thanks for clearing it out for me! I have a new question. I've created a rule (just to learn about how to create rules in Snort) to drop packets from a possible DDoS-attack:
drop tcp any any -> 80 (msg:"testing"; flow:established,to_server; detection_filter:track by_src, count 100, seconds 5; sid:1000001;)

It works great, but after the attacker have done the attack, and failed, I still want to block him from accessing my site. Therefore I'm testing to make a rate_filter:
rate_filter gen_id 1, sig_id 1000001, track by_src, count 1, seconds 1, new_action drop, timeout 999999
It doesn't work. The attacker can still access the site, the timeout is not trigging(the whole rate_filter isn't triggering?). 
I'm not sure if I understand count and seconds correctly. I assume count is how many times the rule(sid 1000001) need to trigger in x seconds, before my rate_filter gets activated?
What have I missed?

Thank you in advance

Date: Mon, 7 May 2012 08:31:43 -0400
Subject: Re: [Snort-users] How to decide/find gen-id?
From: akirk at ...1935...
To: blixten_496 at ...125...
CC: snort-users at lists.sourceforge.net

The GID (generator ID) isn't something you should really be specifying manually. Text rules (as in *.rules within the standard rules directory) are all GID 1; shared object rules are GID 3; and preprocessor rules are assigned appropriate GIDs based upon the preprocessor creating them. 

On Mon, May 7, 2012 at 7:51 AM, Simon Blixt <blixten_496 at ...125...> wrote:

I'm setting up an rate_filter for my rule. But I'm stuck in choosing the gen-id.
Is it so simple that all *.rules have the gen-id 1? Or should I look in gen-msg.map for a gen-id to choose?
How do I know which to choose in gen-msg.map if that's the situation?



Live Security Virtual Conference

Exclusive live event will cover all the ways today's security and

threat landscape has changed and how IT managers can respond. Discussions

will include endpoint security, mobile security and the latest in malware

threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Snort-users mailing list

Snort-users at lists.sourceforge.net

Go to this URL to change user options or unsubscribe:


Snort-users list archive:


Please visit http://blog.snort.org to stay current on all the latest Snort news!

Alex Kirk
AEGIS Program Lead

Sourcefire Vulnerability Research Team
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120507/2735f94f/attachment.html>

More information about the Snort-users mailing list