[Snort-users] threshold.conf not working?

Russ Combs rcombs at ...1935...
Mon Sep 10 13:06:12 EDT 2012


You swapped gid and sid.

On Mon, Sep 10, 2012 at 1:01 PM, Miguel Alvarez <miguellvrz9 at ...11827...>wrote:

> I noticed today that I had received over 25000 '[125:6:1] ftp_pp: FTP
> response length overflow' alerts but I have an existing entry in my
> threshold.conf that I thought would stop that from happening.  This is
> what I have.  Is there anything wrong with this?
>
> event_filter gen_id 6, sig_id 125, type limit, track by_src, count 1,
> seconds 300
>
> But they were coming in multiple times per second:
>
> 09/10-09:45:29.334173  [**] [125:6:1] ftp_pp: FTP response length
> overflow [**] [Classification: Attempted User Privilege Gain]
> [Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765
> 09/10-09:45:29.388236  [**] [125:6:1] ftp_pp: FTP response length
> overflow [**] [Classification: Attempted User Privilege Gain]
> [Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765
> 09/10-09:45:29.483681  [**] [125:6:1] ftp_pp: FTP response length
> overflow [**] [Classification: Attempted User Privilege Gain]
> [Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765
> 09/10-09:45:29.651061  [**] [125:6:1] ftp_pp: FTP response length
> overflow [**] [Classification: Attempted User Privilege Gain]
> [Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765
> 09/10-09:45:29.801567  [**] [125:6:1] ftp_pp: FTP response length
> overflow [**] [Classification: Attempted User Privilege Gain]
> [Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765
> 09/10-09:45:29.934353  [**] [125:6:1] ftp_pp: FTP response length
> overflow [**] [Classification: Attempted User Privilege Gain]
> [Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765
> 09/10-09:45:29.947681  [**] [125:6:1] ftp_pp: FTP response length
> overflow [**] [Classification: Attempted User Privilege Gain]
> [Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765
> 09/10-09:45:29.953925  [**] [125:6:1] ftp_pp: FTP response length
> overflow [**] [Classification: Attempted User Privilege Gain]
> [Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765
> 09/10-09:45:30.100884  [**] [125:6:1] ftp_pp: FTP response length
> overflow [**] [Classification: Attempted User Privilege Gain]
> [Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765
>
> Thank you,
>
> Miguel
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120910/5e4c602a/attachment.html>


More information about the Snort-users mailing list