[Snort-users] threshold.conf not working?

James Lay jlay at ...13475...
Mon Sep 10 13:09:02 EDT 2012


On 2012-09-10 11:01, Miguel Alvarez wrote:
> I noticed today that I had received over 25000 '[125:6:1] ftp_pp: FTP
> response length overflow' alerts but I have an existing entry in my
> threshold.conf that I thought would stop that from happening.  This 
> is
> what I have.  Is there anything wrong with this?
>
> event_filter gen_id 6, sig_id 125, type limit, track by_src, count 1,
> seconds 300
>
> But they were coming in multiple times per second:
>
> 09/10-09:45:29.334173  [**] [125:6:1] ftp_pp: FTP response length
> overflow [**] [Classification: Attempted User Privilege Gain]
> [Priority: 1] {TCP} 192.168.5.104:2100 -> 192.168.232.36:2765

Reverse your gen and sig and you're good:


event_filter gen_id 125, sig_id 6, type limit, track by_src, count 1, 
seconds 300

James




More information about the Snort-users mailing list