[Snort-users] threshold.conf not working?

Miguel Alvarez miguellvrz9 at ...11827...
Mon Sep 10 13:01:11 EDT 2012


I noticed today that I had received over 25000 '[125:6:1] ftp_pp: FTP
response length overflow' alerts but I have an existing entry in my
threshold.conf that I thought would stop that from happening.  This is
what I have.  Is there anything wrong with this?

event_filter gen_id 6, sig_id 125, type limit, track by_src, count 1,
seconds 300

But they were coming in multiple times per second:

09/10-09:45:29.334173  [**] [125:6:1] ftp_pp: FTP response length
overflow [**] [Classification: Attempted User Privilege Gain]
[Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765
09/10-09:45:29.388236  [**] [125:6:1] ftp_pp: FTP response length
overflow [**] [Classification: Attempted User Privilege Gain]
[Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765
09/10-09:45:29.483681  [**] [125:6:1] ftp_pp: FTP response length
overflow [**] [Classification: Attempted User Privilege Gain]
[Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765
09/10-09:45:29.651061  [**] [125:6:1] ftp_pp: FTP response length
overflow [**] [Classification: Attempted User Privilege Gain]
[Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765
09/10-09:45:29.801567  [**] [125:6:1] ftp_pp: FTP response length
overflow [**] [Classification: Attempted User Privilege Gain]
[Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765
09/10-09:45:29.934353  [**] [125:6:1] ftp_pp: FTP response length
overflow [**] [Classification: Attempted User Privilege Gain]
[Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765
09/10-09:45:29.947681  [**] [125:6:1] ftp_pp: FTP response length
overflow [**] [Classification: Attempted User Privilege Gain]
[Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765
09/10-09:45:29.953925  [**] [125:6:1] ftp_pp: FTP response length
overflow [**] [Classification: Attempted User Privilege Gain]
[Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765
09/10-09:45:30.100884  [**] [125:6:1] ftp_pp: FTP response length
overflow [**] [Classification: Attempted User Privilege Gain]
[Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765

Thank you,

Miguel




More information about the Snort-users mailing list